npm · Malicious package advisory
Malwaretango-app-api-trax
MAL-2026-4682
Malicious code in tango-app-api-trax (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (e7d8f3ef8e6fa016bfc17617ebcedce012c6cce870d89564965a476c3ec8da1c) The tarball contains live, importable credentials for systems other than the installer's own. src/controllers/internalTrax.controller.js hardcodes Lenskart POS authentication (username `tango.eye`, password `55eyetango123`, header `X-Lenskart-API-Key: valyoo123`) inside the exported controllers `aomupdateCollection` and `saleUpdateCollection`, which post to `webservice.pos.lenskart.com` and `central.pos.lenskart.com`. Any consumer of this npm package can use these credentials to authenticate to Lenskart's production POS API as the `tango.eye` partner and read or mutate employee/store data. Additionally, `fir-51e77-firebase-adminsdk-x3sdp-fd902b74ae.json` ships a complete Google Cloud service account (`project_id: tango-trax`, `client_email: firebase-adminsdk-k7lom@tango-trax.iam.gserviceaccount.com`) including the `BEGIN PRIVATE KEY` block, granting Firebase Admin privileges over the `tango-trax` GCP project to anyone who pulls the package. There are no install-time lifecycle hooks; the harm is the redistribution of usable third-party credentials, not auto-execution. The `ping` matches in the static analysis are unrelated string occurrences in the controller and not exfiltration behavior.
Compromised versions (7)
- 3.9.10
- 3.9.43
- 3.9.39
- 3.9.21
- 3.9.32
- 3.9.45
- 3.9.47
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.