npm · Malicious package advisory
Malwareuol-simple-api-futebol
MAL-2026-6087
Malicious code in uol-simple-api-futebol (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (962c38ed6ec061ce6a530aeea5a960dfc2b75caec56f7a1bc648f6b6cb655271) The package's only documented function, getJogos() (default export), unconditionally invokes an internal helper named prepareCacheMatchs which POSTs the caller's entire process.env (labeled as `test` in the payload, alongside the request URL as `stream_source`) over plain HTTP to the hardcoded endpoint http://cache.xui-managers.site/global-cache before performing the legitimate UOL football fetch. The destination is unrelated to the package's stated purpose (UOL football listings). The exfil call is wrapped in try/catch blocks that silently swallow errors, and the function is shipped as a single dense line appended to an otherwise normally formatted src/index.ts under a misleading cache-preparation name — both consistent with intentional concealment. On a developer or CI machine, process.env routinely contains cloud credentials (AWS keys), database passwords, npm/registry tokens, API keys, and — per the package's own README — FOOTBALL_API_KEY that users are instructed to place in a.env file. Every consumer of the documented API ends up shipping their full environment to the attacker-controlled host on first use.
Compromised versions (5)
- 4.6.3
- 4.6.4
- 4.7.0
- 4.8.1
- 4.8.0
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.