MAL-2026-10098

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/fastify-addone/MAL-2026-10098.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10098
Published
2026-07-09T22:16:42Z
Modified
2026-07-09T23:02:00.635102184Z
Summary
Malicious code in fastify-addone (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (21b9e477cff478ab071039c18c3adb6577a07cc1d82687b9e7d7cd2594dc9ddf)

The package presents itself as fastify-plugin (name fastify-addone, repository/homepage/bugs fields point at fastify/fastify-plugin) and copies that project's source with a malicious statement inserted. lib/getPluginName.js contains a top-level statement that base64-decodes a URL via atob, fetches the JSON at https://www.jsonkeeper.com/b/HDXPP, and passes the returned content field to eval. This executes attacker-controlled JavaScript in the caller's process on any require('fastify-addone') (directly or via plugin.js). The destination is an anonymous, mutable third-party JSON-hosting service — not the publisher's infrastructure — and the payload URL is hidden behind base64 to evade casual review.

Database specific
{
    "malicious-packages-origins": [
        {
            "sha256": "21b9e477cff478ab071039c18c3adb6577a07cc1d82687b9e7d7cd2594dc9ddf",
            "id": "IN-MAL-2026-009582",
            "import_time": "2026-07-09T22:56:36.59463216Z",
            "modified_time": "2026-07-09T22:16:42Z",
            "versions": [
                "5.1.0"
            ],
            "source": "amazon-inspector"
        }
    ]
}
References
Credits

Affected packages

npm / fastify-addone

Package

Affected ranges

Affected versions

5.*
5.1.0

Database specific

indicators
{
    "package_integrity": [
        {
            "filename": "fastify-addone-5.1.0.tgz",
            "hashes": {
                "sha512_sri": "sha512-DoJCErrdswoCTvFo2qbmcLQ+ZEymcM4p5XcNfVnVZ5xY4D301jAKhtHBm6l4IVKyQSkD0yV0AqAJTzOljFZLGw==",
                "sha1": "cbce8b1e4c8c5f91c9a7b86a378a48b1b748907f"
            }
        }
    ],
    "evidence_files": [
        {
            "sha256": "86962d00e33c7d47bba169fea7e2c18f304a1232db8a36ea7e9929f7e241a5f6",
            "tlsh": "2701eba86edbbc11032f3084e1ce5088baeebd802829e540e3bc4b211f83d7598b000e",
            "path": "lib/getPluginName.js"
        },
        {
            "tlsh": "eb319aa5c8681cb30fd81dd164ed4182b61645974c94fc9ab3df022c9f4da3b22f978d",
            "sha256": "6e38a5f45193fa6d45bf7f98462a84e402186d4fd3a34cfa88d716ff4fd6d428",
            "path": "package.json"
        }
    ]
}
cwes
[
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/fastify-addone/MAL-2026-10098.json"