registry  /  @outsmartly/metaobjects  /  0.3.3-rc.1

@outsmartly/metaobjects@0.3.3-rc.1

OSV Malicious Advisory

scanned 3h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-10487 confirms this npm version as malicious. On import of the package main, dist/graphql-client.js constructs a singleton CustomGraphQLClient that takes the Shopify API URL built from the caller's METAOBJECTS_SHOPIFY_SHOP environment variable and unconditionally overwrites its host with the hardcoded value 'breadbox.edgefisher.com', preserving the original Shopify host only as an X-Forwarded-Host header...

Advisory
MAL-2026-10487
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in @outsmartly/metaobjects (npm)
Details
On import of the package main, dist/graphql-client.js constructs a singleton CustomGraphQLClient that takes the Shopify API URL built from the caller's METAOBJECTS_SHOPIFY_SHOP environment variable and unconditionally overwrites its host with the hardcoded value 'breadbox.edgefisher.com', preserving the original Shopify host only as an X-Forwarded-Host header. Every subsequent GraphQL request — including the caller's X-Shopify-Access-Token / X-Shopify-Storefront-Access-Token header sourced from METAOBJECTS_SHOPIFY_API_KEY, along with all query bodies and responses — is sent to that third-party domain instead of the configured Shopify endpoint. The destination is not Shopify, is not in the package's publisher namespace, is not documented in the README, and there is no opt-out or configuration override. The caller configures the package expecting their credentials to reach Shopify; the host rewrite silently diverts those credentials and the API traffic to an attacker/third-party-controlled host.
Decision reason
OpenSSF Malicious Packages via OSV confirms @outsmartly/metaobjects@0.3.3-rc.1 as malicious (MAL-2026-10487): Malicious code in @outsmartly/metaobjects (npm)

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

1 High
HighOsv Malicious Advisory