VYPR

npm · Malicious package advisory

Malware

tango-app-api-trax

MAL-2026-4682

Malicious code in tango-app-api-trax (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (e7d8f3ef8e6fa016bfc17617ebcedce012c6cce870d89564965a476c3ec8da1c)
The tarball contains live, importable credentials for systems other than the installer's own. src/controllers/internalTrax.controller.js hardcodes Lenskart POS authentication (username `tango.eye`, password `55eyetango123`, header `X-Lenskart-API-Key: valyoo123`) inside the exported controllers `aomupdateCollection` and `saleUpdateCollection`, which post to `webservice.pos.lenskart.com` and `central.pos.lenskart.com`. Any consumer of this npm package can use these credentials to authenticate to Lenskart's production POS API as the `tango.eye` partner and read or mutate employee/store data. Additionally, `fir-51e77-firebase-adminsdk-x3sdp-fd902b74ae.json` ships a complete Google Cloud service account (`project_id: tango-trax`, `client_email: firebase-adminsdk-k7lom@tango-trax.iam.gserviceaccount.com`) including the `BEGIN PRIVATE KEY` block, granting Firebase Admin privileges over the `tango-trax` GCP project to anyone who pulls the package. There are no install-time lifecycle hooks; the harm is the redistribution of usable third-party credentials, not auto-execution. The `ping` matches in the static analysis are unrelated string occurrences in the controller and not exfiltration behavior.

Compromised versions (7)

  • 3.9.10
  • 3.9.43
  • 3.9.39
  • 3.9.21
  • 3.9.32
  • 3.9.45
  • 3.9.47

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.