MAL-2026-10151

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/buffer-util-internal/MAL-2026-10151.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10151
Published
2026-07-10T16:54:54Z
Modified
2026-07-10T17:17:01.884296906Z
Summary
Malicious code in buffer-util-internal (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (d329e426a3af00dc4cb53c8535a3e53848f09a1b80e561f84f29c77bffe746d7)

Package impersonates Feross Aboukhadijeh's widely-used buffer package, copying its author, repository, contributors, and description metadata while publishing under the name buffer-util-internal. The main module index.js contains a top-level IIFE that base64-decodes a hardcoded URL (decoding to https://www.jsonkeeper.com/b/PT0ON), fetches a JSON document from that anonymous paste host, and passes the response's content field directly to eval. The destination URL is hidden behind a variable named tokenStringRe with a misleading // Random string to generate strong random value comment, alongside a second base64 string referencing a sibling paste id. Because the fetched content is attacker-mutable, every consumer that requires this package executes whatever JavaScript the paste host serves at that moment — a full remote code execution primitive on the installer at require time. The package also declares unusual dependencies (axios, execp, request) inconsistent with the legitimate buffer package.

Database specific
{
    "malicious-packages-origins": [
        {
            "sha256": "d329e426a3af00dc4cb53c8535a3e53848f09a1b80e561f84f29c77bffe746d7",
            "id": "IN-MAL-2026-009668",
            "import_time": "2026-07-10T17:10:16.126237682Z",
            "modified_time": "2026-07-10T16:55:04Z",
            "versions": [
                "1.0.13"
            ],
            "source": "amazon-inspector"
        },
        {
            "sha256": "f3a255421103fb27bb0157b46a493187a59fab17fc5b9e6f91bc84359b4225d2",
            "id": "IN-MAL-2026-009667",
            "modified_time": "2026-07-10T16:54:54Z",
            "versions": [
                "1.0.14"
            ],
            "import_time": "2026-07-10T17:10:16.081923438Z",
            "source": "amazon-inspector"
        }
    ]
}
References
Credits

Affected packages

npm / buffer-util-internal

Package

Name
buffer-util-internal
View open source insights on deps.dev
Purl
pkg:npm/buffer-util-internal

Affected ranges

Affected versions

1.*
1.0.13
1.0.14

Database specific

indicators
{
    "package_integrity": [
        {
            "filename": "buffer-util-internal-1.0.13.tgz",
            "hashes": {
                "sha512_sri": "sha512-BGQ+JtIa4SyjqVemUUbUGBMInmoa4Z5jtuBJafNMh3bUS6+M8HT6W2yArGgAhPznCjZ/xByNx7kGWBCczKdV2A==",
                "sha1": "3a9a63692c7449a5352c78a7282983a3fb4e8400"
            }
        }
    ],
    "evidence_files": [
        {
            "sha256": "15a480e40f9d5ca47787ad5bfa63329b4743904506825322025771a6fb5e1be1",
            "tlsh": "2751952bcc9a4c6b0ab467f5a93e1a0af521472f4490480fb5bf1a8d4ff56a7118df1c",
            "path": "package.json"
        },
        {
            "sha256": "259fe955fae02f969363637eb267fa01755fec71c03eaa9d5e7f0cafc7a08015",
            "tlsh": "805353022e5251274777b33d984f950efb36e427462688c8b4ac84502fb5964cafbefd",
            "path": "index.js"
        }
    ]
}
cwes
[
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/buffer-util-internal/MAL-2026-10151.json"