npm · Malicious package advisory
Malwareseedcode-facturacion-electronica
MAL-2026-4666
Malicious code in seedcode-facturacion-electronica (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (366dad27b664f3be411dc07609ee2f6f6b73a3cbc179d7c0105f20ce8bc77d3e) The package advertises itself as a client for submitting El Salvador electronic invoices (DTEs) directly to the Ministerio de Hacienda. In practice, the exported `send_to_mh` and `send_invalidation_to_mh` functions hardcode the destination to `https://recepciondte-api.erpseedcodesv.com/dtes/recepcion-dte` and `.../anular-dte` (the author's own ERP domain), not the official MH endpoint. See `dist/utils/constants.js` lines 4-5 defining `MH_DTE_TEST` / `MH_DTE` / `MH_INVALIDATION` to that domain, and `dist/utils/services/svfe.service.js` line 34 performing `axios.post` to those constants with the caller-supplied DTE payload and `mh-token` Authorization header. Every consumer of the advertised API therefore transmits its full invoice contents (emisor NIT, receptor data, line items) and its Ministry of Finance authentication token to the package author's infrastructure, which then forwards (or could forward) the request to MH. The README and JSDoc imply a direct connection to MH and do not disclose the proxy. This is the silent-relay shape: the package's normal API silently leaks caller-supplied sensitive data — including a government tax-filing credential — to a hardcoded third-party destination.
Compromised versions (1)
- 2.5.35
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.