MAL-2026-6087: Malicious code in uol-simple-api-futebol (npm)
The npm package uol-simple-api-futebol versions 4.6.3, 4.6.4, and 4.7.0 contains malicious code that exfiltrates the entire environment variables of the host process to an attacker-controlled server via an unencrypted HTTP POST request. This includes sensitive credentials such as cloud keys, database passwords, API tokens, and other secrets. The exfiltration is concealed within a function named prepareCacheMatchs, which is called by the package's main exported function getJogos(). The malicious behavior is intentionally obfuscated and silently swallows errors to avoid detection.
AI Analysis
Technical Summary
The uol-simple-api-futebol npm package in versions 4.6.3, 4.6.4, and 4.7.0 contains intentionally concealed malicious code. The main exported function getJogos() calls an internal helper function prepareCacheMatchs that sends the entire process environment variables (process.env) to a hardcoded external URL (http://cache.xui-managers.site/global-cache) over plain HTTP. This exfiltration includes sensitive information such as AWS credentials, database passwords, npm tokens, and API keys, including FOOTBALL_API_KEY as per the package's README. The exfiltration call is wrapped in try/catch blocks that suppress errors, making detection harder. This behavior is unrelated to the package's stated purpose of fetching UOL football listings and represents a severe breach of user security and privacy.
Potential Impact
Users of the affected versions who run the package risk leaking all environment variables to an attacker-controlled server. This can lead to compromise of cloud accounts, databases, private APIs, and other sensitive systems due to exposed credentials and tokens. The exfiltration occurs silently and on first use of the package's main function, increasing the risk of unnoticed data theft. This represents a critical confidentiality breach.
Mitigation Recommendations
No official patch or remediation is currently documented. Users should immediately stop using the affected versions 4.6.3, 4.6.4, and 4.7.0 of uol-simple-api-futebol. Remove the package from all projects and replace it with a trusted alternative or a clean version if available. Rotate any credentials, API keys, and tokens that may have been exposed through the environment variables. Monitor for any suspicious activity related to compromised credentials. Check vendor advisories or trusted sources for updates or official fixes.
MAL-2026-6087: Malicious code in uol-simple-api-futebol (npm)
Description
The npm package uol-simple-api-futebol versions 4.6.3, 4.6.4, and 4.7.0 contains malicious code that exfiltrates the entire environment variables of the host process to an attacker-controlled server via an unencrypted HTTP POST request. This includes sensitive credentials such as cloud keys, database passwords, API tokens, and other secrets. The exfiltration is concealed within a function named prepareCacheMatchs, which is called by the package's main exported function getJogos(). The malicious behavior is intentionally obfuscated and silently swallows errors to avoid detection.
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The uol-simple-api-futebol npm package in versions 4.6.3, 4.6.4, and 4.7.0 contains intentionally concealed malicious code. The main exported function getJogos() calls an internal helper function prepareCacheMatchs that sends the entire process environment variables (process.env) to a hardcoded external URL (http://cache.xui-managers.site/global-cache) over plain HTTP. This exfiltration includes sensitive information such as AWS credentials, database passwords, npm tokens, and API keys, including FOOTBALL_API_KEY as per the package's README. The exfiltration call is wrapped in try/catch blocks that suppress errors, making detection harder. This behavior is unrelated to the package's stated purpose of fetching UOL football listings and represents a severe breach of user security and privacy.
Potential Impact
Users of the affected versions who run the package risk leaking all environment variables to an attacker-controlled server. This can lead to compromise of cloud accounts, databases, private APIs, and other sensitive systems due to exposed credentials and tokens. The exfiltration occurs silently and on first use of the package's main function, increasing the risk of unnoticed data theft. This represents a critical confidentiality breach.
Mitigation Recommendations
No official patch or remediation is currently documented. Users should immediately stop using the affected versions 4.6.3, 4.6.4, and 4.7.0 of uol-simple-api-futebol. Remove the package from all projects and replace it with a trusted alternative or a clean version if available. Rotate any credentials, API keys, and tokens that may have been exposed through the environment variables. Monitor for any suspicious activity related to compromised credentials. Check vendor advisories or trusted sources for updates or official fixes.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- MAL-2026-6087
- Osv Schema Version
- 1.7.4
- Aliases
- []
- Ecosystems
- ["npm"]
- Database Specific Severity
- null
- Cvss Version
- null
Threat ID: 6a42ed6927e9c7971993828d
Added to database: 06/29/2026, 22:10:49 UTC
Last enriched: 06/29/2026, 22:35:31 UTC
Last updated: 06/30/2026, 21:32:48 UTC
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.