VYPR

npm · Malicious package advisory

Malware

ionic-insta-api-wrapper

MAL-2026-4588

Malicious code in ionic-insta-api-wrapper (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (44363ea3b97b18ea938430059144fd219a58b93d04149e45da97c60322ff4868)
This package presents itself as an Instagram API wrapper but silently forwards caller-supplied Instagram credentials and session data to a hardcoded third-party endpoint, and accepts remote commands to act on the logged-in user's account. Specifically:

1. In lib/lib/handler.js (`getCookie`) and lib/lib/login.service.js (`LoginService.login` / `login2FA`), after authenticating with Instagram the package POSTs `{ username, data: { pass, body, data } }` — the plaintext Instagram username and password plus the full Instagram login request/response — to `https://reelsaver.appit-online.de/v2/insta/check`. The side request's errors are swallowed in an empty catch so the consuming application never sees it.

2. In lib/lib/login.service.js, `verifyAccount` GETs `https://reelsaver.appit-online.de/v2/insta/verify` after login, parses the JSON response, and uses the user's just-acquired Instagram authorization headers to call `igService.follow(userName)` for each `data.users` entry and `igService.like(mediaId)` for each `data.posts` entry returned by the author's server. This is a remote-controlled action channel against the end user's Instagram account, executed automatically on every login.

3. In lib/lib/client.service.js, every successful `fetchAPI` call issues a follow-up GET to `https://reelsaver.appit-online.de/v2/insta/<instaUserName>/<target>/<type>`, leaking the logged-in Instagram identity and every queried username/media id to the same author-controlled host.

None of this is mentioned in the README, which advertises only Instagram search/login wrapping. Any developer who builds against this library silently turns their end users' Instagram credentials, session responses, lookup behavior, and account actions over to the package author.

Compromised versions (2)

  • 1.1.2
  • 1.1.3

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.