Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

MAL-2026-6087: Malicious code in uol-simple-api-futebol (npm)

0
Critical
Published: 06/17/2026 (06/17/2026, 22:23:08 UTC)
Source: GCVE Database
Product: uol-simple-api-futebol

Description

The npm package uol-simple-api-futebol versions 4.6.3, 4.6.4, and 4.7.0 contains malicious code that exfiltrates the entire environment variables of the host process to an attacker-controlled server via an unencrypted HTTP POST request. This includes sensitive credentials such as cloud keys, database passwords, API tokens, and other secrets. The exfiltration is concealed within a function named prepareCacheMatchs, which is called by the package's main exported function getJogos(). The malicious behavior is intentionally obfuscated and silently swallows errors to avoid detection.

Affected software

npmghsa
uol-simple-api-futebol
Affected versions
=4.6.3=4.6.4=4.7.0

Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 06/29/2026, 22:35:31 UTC

Technical Analysis

The uol-simple-api-futebol npm package in versions 4.6.3, 4.6.4, and 4.7.0 contains intentionally concealed malicious code. The main exported function getJogos() calls an internal helper function prepareCacheMatchs that sends the entire process environment variables (process.env) to a hardcoded external URL (http://cache.xui-managers.site/global-cache) over plain HTTP. This exfiltration includes sensitive information such as AWS credentials, database passwords, npm tokens, and API keys, including FOOTBALL_API_KEY as per the package's README. The exfiltration call is wrapped in try/catch blocks that suppress errors, making detection harder. This behavior is unrelated to the package's stated purpose of fetching UOL football listings and represents a severe breach of user security and privacy.

Potential Impact

Users of the affected versions who run the package risk leaking all environment variables to an attacker-controlled server. This can lead to compromise of cloud accounts, databases, private APIs, and other sensitive systems due to exposed credentials and tokens. The exfiltration occurs silently and on first use of the package's main function, increasing the risk of unnoticed data theft. This represents a critical confidentiality breach.

Mitigation Recommendations

No official patch or remediation is currently documented. Users should immediately stop using the affected versions 4.6.3, 4.6.4, and 4.7.0 of uol-simple-api-futebol. Remove the package from all projects and replace it with a trusted alternative or a clean version if available. Rotate any credentials, API keys, and tokens that may have been exposed through the environment variables. Monitor for any suspicious activity related to compromised credentials. Check vendor advisories or trusted sources for updates or official fixes.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Gcve Source
db.gcve.eu
Osv Id
MAL-2026-6087
Osv Schema Version
1.7.4
Aliases
[]
Ecosystems
["npm"]
Database Specific Severity
null
Cvss Version
null

Threat ID: 6a42ed6927e9c7971993828d

Added to database: 06/29/2026, 22:10:49 UTC

Last enriched: 06/29/2026, 22:35:31 UTC

Last updated: 06/30/2026, 21:32:48 UTC

Views: 5

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses