-= Per source details. Do not edit below this line.=-
The package presents itself as fastify-plugin (name fastify-addone, repository/homepage/bugs fields point at fastify/fastify-plugin) and copies that project's source with a malicious statement inserted. lib/getPluginName.js contains a top-level statement that base64-decodes a URL via atob, fetches the JSON at https://www.jsonkeeper.com/b/HDXPP, and passes the returned content field to eval. This executes attacker-controlled JavaScript in the caller's process on any require('fastify-addone') (directly or via plugin.js). The destination is an anonymous, mutable third-party JSON-hosting service — not the publisher's infrastructure — and the payload URL is hidden behind base64 to evade casual review.
{
"malicious-packages-origins": [
{
"sha256": "21b9e477cff478ab071039c18c3adb6577a07cc1d82687b9e7d7cd2594dc9ddf",
"id": "IN-MAL-2026-009582",
"import_time": "2026-07-09T22:56:36.59463216Z",
"modified_time": "2026-07-09T22:16:42Z",
"versions": [
"5.1.0"
],
"source": "amazon-inspector"
}
]
}{
"package_integrity": [
{
"filename": "fastify-addone-5.1.0.tgz",
"hashes": {
"sha512_sri": "sha512-DoJCErrdswoCTvFo2qbmcLQ+ZEymcM4p5XcNfVnVZ5xY4D301jAKhtHBm6l4IVKyQSkD0yV0AqAJTzOljFZLGw==",
"sha1": "cbce8b1e4c8c5f91c9a7b86a378a48b1b748907f"
}
}
],
"evidence_files": [
{
"sha256": "86962d00e33c7d47bba169fea7e2c18f304a1232db8a36ea7e9929f7e241a5f6",
"tlsh": "2701eba86edbbc11032f3084e1ce5088baeebd802829e540e3bc4b211f83d7598b000e",
"path": "lib/getPluginName.js"
},
{
"tlsh": "eb319aa5c8681cb30fd81dd164ed4182b61645974c94fc9ab3df022c9f4da3b22f978d",
"sha256": "6e38a5f45193fa6d45bf7f98462a84e402186d4fd3a34cfa88d716ff4fd6d428",
"path": "package.json"
}
]
}
[
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
}
]
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/fastify-addone/MAL-2026-10098.json"