OSV Malicious Advisory
scanned 4h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-10635 confirms this npm version as malicious. Package exports a complete Gmail account-hijack pipeline driven by stolen session cookies. Exported helpers (waitForRemoveRecovery, waitForRecoveryAdd, waitForPasswordChange, waitForDeviceLogout, waitForTwoFaActive, waitForNameChange) automate, in sequence: removing the victim's recovery phone number, injecting an attacker-controlled recovery email at the hardcoded domain @oletters.com, resetting the password to a...
Advisory
MAL-2026-10635
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in gmail-changer (npm)
Details
Package exports a complete Gmail account-hijack pipeline driven by stolen session cookies. Exported helpers (waitForRemoveRecovery, waitForRecoveryAdd, waitForPasswordChange, waitForDeviceLogout, waitForTwoFaActive, waitForNameChange) automate, in sequence: removing the victim's recovery phone number, injecting an attacker-controlled recovery email at the hardcoded domain @oletters.com, resetting the password to a random string, signing every other device out, harvesting 2FA seed + backup codes, and changing the display name. OTP interception is wired to a hardcoded SMS-rental endpoint at sever1.tempxapi.com/api/sms, where the package polls for incoming Google verification codes (G-\d{6}) using an X-Integrity-Token to drive recovery-number swaps and login challenges. index.js getMailYear additionally POSTs to Gmail's undocumented sync RPC at mail.google.com/sync/u/0/i/bv with stolen cookies to enumerate the victim's ^all mailbox (up to 2000 messages per page) for post-takeover reconnaissance. Puppeteer is launched with puppeteer-extra-plugin-stealth, --ignore-certificate-errors, and request interception that silently swallows Gmail's SetOSID redirect (replaced with a 200 OK stub) to harvest the session without completing the page transition. Every advertised API mutates a Google account against its owner's interests; there is no legitimate use case. Installing or loading this package equips the installer with — and contributes to a public ecosystem of — operational account-takeover tooling, with a hardcoded attacker drop-domain (@oletters.com) and third-party OTP relay baked in.
Decision reason
OpenSSF Malicious Packages via OSV confirms gmail-changer@2.0.2 as malicious (MAL-2026-10635): Malicious code in gmail-changer (npm)
References
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 High
HighOsv Malicious Advisory