-= Per source details. Do not edit below this line.=-
Package impersonates Feross Aboukhadijeh's widely-used buffer package, copying its author, repository, contributors, and description metadata while publishing under the name buffer-util-internal. The main module index.js contains a top-level IIFE that base64-decodes a hardcoded URL (decoding to https://www.jsonkeeper.com/b/PT0ON), fetches a JSON document from that anonymous paste host, and passes the response's content field directly to eval. The destination URL is hidden behind a variable named tokenStringRe with a misleading // Random string to generate strong random value comment, alongside a second base64 string referencing a sibling paste id. Because the fetched content is attacker-mutable, every consumer that requires this package executes whatever JavaScript the paste host serves at that moment — a full remote code execution primitive on the installer at require time. The package also declares unusual dependencies (axios, execp, request) inconsistent with the legitimate buffer package.
{
"malicious-packages-origins": [
{
"sha256": "d329e426a3af00dc4cb53c8535a3e53848f09a1b80e561f84f29c77bffe746d7",
"id": "IN-MAL-2026-009668",
"import_time": "2026-07-10T17:10:16.126237682Z",
"modified_time": "2026-07-10T16:55:04Z",
"versions": [
"1.0.13"
],
"source": "amazon-inspector"
},
{
"sha256": "f3a255421103fb27bb0157b46a493187a59fab17fc5b9e6f91bc84359b4225d2",
"id": "IN-MAL-2026-009667",
"modified_time": "2026-07-10T16:54:54Z",
"versions": [
"1.0.14"
],
"import_time": "2026-07-10T17:10:16.081923438Z",
"source": "amazon-inspector"
}
]
}{
"package_integrity": [
{
"filename": "buffer-util-internal-1.0.13.tgz",
"hashes": {
"sha512_sri": "sha512-BGQ+JtIa4SyjqVemUUbUGBMInmoa4Z5jtuBJafNMh3bUS6+M8HT6W2yArGgAhPznCjZ/xByNx7kGWBCczKdV2A==",
"sha1": "3a9a63692c7449a5352c78a7282983a3fb4e8400"
}
}
],
"evidence_files": [
{
"sha256": "15a480e40f9d5ca47787ad5bfa63329b4743904506825322025771a6fb5e1be1",
"tlsh": "2751952bcc9a4c6b0ab467f5a93e1a0af521472f4490480fb5bf1a8d4ff56a7118df1c",
"path": "package.json"
},
{
"sha256": "259fe955fae02f969363637eb267fa01755fec71c03eaa9d5e7f0cafc7a08015",
"tlsh": "805353022e5251274777b33d984f950efb36e427462688c8b4ac84502fb5964cafbefd",
"path": "index.js"
}
]
}
[
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
},
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
}
]
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/buffer-util-internal/MAL-2026-10151.json"