VYPR

npm · Malicious package advisory

Malware

fca-official-uzair-rajput

MAL-2026-4560

Malicious code in fca-official-uzair-rajput (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (83c96ed99bb1a48e80228ec0ca012c1dbb7817fe1dbbd492fcb3d2927805f29e)
fca-official-uzair-rajput is a Facebook chat API library whose only documented entry point, login(), invokes an auto-update routine on every call when the default config (autoUpdate=true) is in effect. func/checkUpdate.js runs `npm i fca-official-uzair-rajput@latest` and, on failure, falls back to `npm i https://github.com/MrUzairXxX-MTX-PROJECT/fca-uzair-rajput-mtx` — installing whatever currently sits at the mutable mainline of that repository, with no commit or tag pin and no integrity check. After triggering the install, the code calls process.exit(1), terminating the host process. On first load the package also writes fca-uzair.json into the consumer's cwd with autoUpdate=true and autoLogin=true as defaults, ensuring the auto-install path is enabled without operator action. The effect is that any application that requires this package and calls login() grants the maintainer arbitrary code execution on the host on every subsequent run: whatever the maintainer pushes to the npm tag `latest` or to the GitHub mainline becomes installed and runnable, expanding trust from version 1.16.0 to all future maintainer commits.

Compromised versions (1)

  • 1.16.0

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.