MAL-2026-10162

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@bcryptln/becryptjs/MAL-2026-10162.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10162
Published
2026-07-10T17:16:37Z
Modified
2026-07-10T18:16:50.355263259Z
Summary
Malicious code in @bcryptln/becryptjs (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (cb86f48a4b796f17dc1017a92153b88afce1f15690687eaa422162d9dd9f347d)

Package @bcryptln/becryptjs impersonates the widely-used bcryptjs library (its own metadata still references the upstream dcodeIO/bcrypt.js project). The ESM entrypoint index.js contains a legitimate copy of bcryptjs followed by whitespace padding and an appended obfuscated block that runs unconditionally when a consumer does import '@bcryptln/becryptjs'. The trailing code hoists require, module, __dirname, and __filename onto globals, then uses two custom positional string-shuffle decoders with hardcoded numeric seeds to derive the identifier Function, constructs a runtime function from a decoded string, and invokes it. Because require is re-exposed to the constructed function, the payload has full CommonJS reach (fs, child_process, http, net) from within an ESM module. The CommonJS/UMD entrypoint (umd/index.js) is a clean copy of upstream with no payload — the malicious code is placed only on the import conditional export, targeting modern ESM consumers while keeping the require path benign to defeat diff-against-upstream review. The combination of name impersonation, hidden payload appended after whitespace padding, custom string-shuffle obfuscation whose only purpose is to hide Function and the payload body, dynamic code construction with re-exposed CommonJS primitives, and UMD/ESM split are jointly consistent with an intentional supply-chain trojan.

Database specific
{
    "malicious-packages-origins": [
        {
            "versions": [
                "3.0.8"
            ],
            "id": "IN-MAL-2026-009688",
            "import_time": "2026-07-10T18:05:59.568023453Z",
            "modified_time": "2026-07-10T17:16:53Z",
            "sha256": "187a8bc42e0b5b2b84a05196bf192df5cea272412f0f6c3dfb033e7a84efd12d",
            "source": "amazon-inspector"
        },
        {
            "versions": [
                "3.0.10"
            ],
            "id": "IN-MAL-2026-009686",
            "import_time": "2026-07-10T18:05:59.424757414Z",
            "modified_time": "2026-07-10T17:16:37Z",
            "sha256": "cb86f48a4b796f17dc1017a92153b88afce1f15690687eaa422162d9dd9f347d",
            "source": "amazon-inspector"
        },
        {
            "sha256": "dc61cae0736f2880d659ccadc0e57f0a6b555799721b71af48b68510c217f030",
            "id": "IN-MAL-2026-009687",
            "import_time": "2026-07-10T18:05:59.493461351Z",
            "versions": [
                "3.0.11"
            ],
            "modified_time": "2026-07-10T17:16:45Z",
            "source": "amazon-inspector"
        }
    ]
}
References
Credits

Affected packages

npm / @bcryptln/becryptjs

Package

Name
@bcryptln/becryptjs
View open source insights on deps.dev
Purl
pkg:npm/%40bcryptln/becryptjs

Affected ranges

Affected versions

3.*
3.0.8
3.0.10
3.0.11

Database specific

indicators
{
    "evidence_files": [
        {
            "sha256": "1e790d92714abbcfcf34440af9b126a471d2c52a325edd77baeeaf7821c18986",
            "tlsh": "e9419961ccb08da30bd819d1f8399a12b271495b8c24bd16779e912c8f4e0ef15fe29e",
            "path": "package.json"
        },
        {
            "sha256": "6a04e75ccbd3f5d622ca2a4dc4df6eeb514e0eef67372bf7bd36bdc1e7e38534",
            "tlsh": "563309840ba721710923b93a572f9485b6b9a1370628fd55bc5c67b09fbf32cd2f1d88",
            "path": "umd/index.js"
        }
    ],
    "package_integrity": [
        {
            "filename": "becryptjs-3.0.8.tgz",
            "hashes": {
                "sha512_sri": "sha512-aE2vcrmfgSkpno/ZP0xmT2RT+hyGDP57pkWa48bL9sZY/Dx+Ps9BJlAyq9onLX5CaemH3ZzV9lfxhnuOUVlxHg==",
                "sha1": "f13e2a34533370ae2bf2c338e51de7ef7d76968c"
            }
        }
    ]
}
cwes
[
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@bcryptln/becryptjs/MAL-2026-10162.json"