MAL-2026-10064

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/multer-orm/MAL-2026-10064.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10064
Published
2026-07-09T15:55:43Z
Modified
2026-07-09T23:02:01.589213680Z
Summary
Malicious code in multer-orm (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (7fb45c09aa7a237b2b9ff18ccf6426b76a4f46e5ea665c7747f35a345940e161)

multer-orm is a typosquat of the widely used multer middleware. Its README is copied from multer, but the package adds a load-time dropper in lib/feature.js that fires as soon as any consumer runs require('multer-orm'). On Windows the module IIFE auto-invokes a handler that fetches JSON from https://hilbert-self.vercel.app/, extracts a downloader_url, downloads the referenced binary into the Chrome User Data directory as chrome.exe, marks it executable, and runs it. When the current Node process is not elevated, the code re-spawns itself via powershell Start-Process node -Verb RunAs -WindowStyle Hidden to obtain admin rights, then writes a temporary PowerShell script that calls Add-MpPreference -ExclusionPath against roughly twenty existing directories (including the Chrome/Edge User Data paths where the payload is dropped), executed via cscript.exe, to disable Windows Defender scanning of the dropper's staging locations. The URLs, PowerShell commands, exclusion strings, and filesystem paths are hidden behind obfuscator.io-style string-array + rotation obfuscation in lib/feature.js. package.json also declares a self-referential dependency on multer-orm. Installing or requiring this package results in arbitrary remote code execution on the installer's Windows machine with attempted elevation to admin and antivirus tampering.

Database specific
{
    "malicious-packages-origins": [
        {
            "versions": [
                "2.0.6"
            ],
            "id": "IN-MAL-2026-009288",
            "modified_time": "2026-07-09T15:55:43Z",
            "import_time": "2026-07-09T16:20:57.620659017Z",
            "sha256": "489805f0242c070653fa4e09c782d8135971a370b3ae292d31d721507332a12f",
            "source": "amazon-inspector"
        },
        {
            "versions": [
                "2.0.2"
            ],
            "id": "IN-MAL-2026-009580",
            "modified_time": "2026-07-09T22:16:24Z",
            "import_time": "2026-07-09T22:56:36.439616147Z",
            "sha256": "6d9e8b40fa4ed9affdbbacaa281a4586632d08e92373a4691ca53a28c4788686",
            "source": "amazon-inspector"
        },
        {
            "sha256": "7fb45c09aa7a237b2b9ff18ccf6426b76a4f46e5ea665c7747f35a345940e161",
            "id": "IN-MAL-2026-009577",
            "import_time": "2026-07-09T22:56:36.175107854Z",
            "modified_time": "2026-07-09T22:15:59Z",
            "versions": [
                "2.0.7"
            ],
            "source": "amazon-inspector"
        },
        {
            "versions": [
                "2.0.5"
            ],
            "id": "IN-MAL-2026-009579",
            "modified_time": "2026-07-09T22:16:14Z",
            "import_time": "2026-07-09T22:56:36.364842187Z",
            "sha256": "b4d216f328acc30d2c0973e64ba2b4c96ecaf6d2c947bd69de960bfed401ef54",
            "source": "amazon-inspector"
        },
        {
            "sha256": "c40dcc479fcd125917a842f162c5ce866824bf1ce1d28cecfbafc4ca8a143eb4",
            "id": "IN-MAL-2026-009578",
            "import_time": "2026-07-09T22:56:36.281576582Z",
            "modified_time": "2026-07-09T22:16:06Z",
            "versions": [
                "2.0.4"
            ],
            "source": "amazon-inspector"
        },
        {
            "versions": [
                "2.0.3"
            ],
            "id": "IN-MAL-2026-009581",
            "modified_time": "2026-07-09T22:16:32Z",
            "import_time": "2026-07-09T22:56:36.515251364Z",
            "sha256": "433be5dbe906a13f599d095cb06a9731b8d148d4d25796ba125b75cd69559936",
            "source": "amazon-inspector"
        }
    ]
}
References
Credits

Affected packages

npm / multer-orm

Package

Affected ranges

Affected versions

2.*
2.0.2
2.0.3
2.0.4
2.0.5
2.0.6
2.0.7

Database specific

indicators
{
    "package_integrity": [
        {
            "filename": "multer-orm-2.0.6.tgz",
            "hashes": {
                "sha512_sri": "sha512-FWmZt/kVJbpIqFdjufTYMUnTPrw/T1UtL8cI4wScByNA2pioAgN3yMptWkWNdbay4UtjGJrM2x693dmqSTx6tg==",
                "sha1": "66d1514005d1bc12f1b99569f83dbfa398edd86d"
            }
        }
    ],
    "evidence_files": [
        {
            "tlsh": "c951ec442657651512737bf8b81a5108fa799537692e4001768cc3e63fb9014e7a2fed",
            "sha256": "d91b0a718356b8cc8d75561252f0340240e445b3bf6aa8ba97ccd8c37778a14c",
            "path": "index.js"
        },
        {
            "tlsh": "71f16409a280668ea353aee7a71d72e7e527043c388dcc46d144ffd87c1a231e6d5db6",
            "sha256": "f2b35cfa8fd42bcf5a695b77af76269ca1d38cc1954804b10fe1d16787269e18",
            "path": "lib/feature.js"
        }
    ]
}
cwes
[
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/multer-orm/MAL-2026-10064.json"