npm · Malicious package advisory
Malwarefca-eryxenx
MAL-2026-4559
Malicious code in fca-eryxenx (npm)
Details
---
_-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (7569b032ce4e06251ebfe06b4fc124689f20ca0a7e14b5b2395dc7295bfa18c6)
The package's documented login API — login({email, password, twofactor}) — POSTs the caller's Facebook email, password, and 2FA secret to https://minhdong.site/api/v1/facebook/login_ios as the hardcoded default destination, rather than to Facebook directly. In module/loginHelper.js:62, baseUrl resolves to `apiBaseUrl || config.apiServer || "https://minhdong.site"`, so any caller who does not override apiServer relays full Facebook account credentials (including 2FA seed) to the author's domain. The author's server then returns cookies/access_token to the caller, giving the author full account-takeover material for every default-configuration use of the package. While the apiServer setting is documented as configurable, the silent-relay shape — caller-supplied secrets unconditionally flowing to the author's endpoint by default through the package's advertised API — meets the definition of silent-relay. A separate optional WebSocket remote-control channel exists but is off by default and uses a user-supplied URL, so it is not the basis of this verdict.
Compromised versions (1)
- 6.0.0
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.