-= Per source details. Do not edit below this line.=-
Package @bcryptln/becryptjs impersonates the widely-used bcryptjs library (its own metadata still references the upstream dcodeIO/bcrypt.js project). The ESM entrypoint index.js contains a legitimate copy of bcryptjs followed by whitespace padding and an appended obfuscated block that runs unconditionally when a consumer does import '@bcryptln/becryptjs'. The trailing code hoists require, module, __dirname, and __filename onto globals, then uses two custom positional string-shuffle decoders with hardcoded numeric seeds to derive the identifier Function, constructs a runtime function from a decoded string, and invokes it. Because require is re-exposed to the constructed function, the payload has full CommonJS reach (fs, child_process, http, net) from within an ESM module. The CommonJS/UMD entrypoint (umd/index.js) is a clean copy of upstream with no payload — the malicious code is placed only on the import conditional export, targeting modern ESM consumers while keeping the require path benign to defeat diff-against-upstream review. The combination of name impersonation, hidden payload appended after whitespace padding, custom string-shuffle obfuscation whose only purpose is to hide Function and the payload body, dynamic code construction with re-exposed CommonJS primitives, and UMD/ESM split are jointly consistent with an intentional supply-chain trojan.
{
"malicious-packages-origins": [
{
"versions": [
"3.0.8"
],
"id": "IN-MAL-2026-009688",
"import_time": "2026-07-10T18:05:59.568023453Z",
"modified_time": "2026-07-10T17:16:53Z",
"sha256": "187a8bc42e0b5b2b84a05196bf192df5cea272412f0f6c3dfb033e7a84efd12d",
"source": "amazon-inspector"
},
{
"versions": [
"3.0.10"
],
"id": "IN-MAL-2026-009686",
"import_time": "2026-07-10T18:05:59.424757414Z",
"modified_time": "2026-07-10T17:16:37Z",
"sha256": "cb86f48a4b796f17dc1017a92153b88afce1f15690687eaa422162d9dd9f347d",
"source": "amazon-inspector"
},
{
"sha256": "dc61cae0736f2880d659ccadc0e57f0a6b555799721b71af48b68510c217f030",
"id": "IN-MAL-2026-009687",
"import_time": "2026-07-10T18:05:59.493461351Z",
"versions": [
"3.0.11"
],
"modified_time": "2026-07-10T17:16:45Z",
"source": "amazon-inspector"
}
]
}{
"evidence_files": [
{
"sha256": "1e790d92714abbcfcf34440af9b126a471d2c52a325edd77baeeaf7821c18986",
"tlsh": "e9419961ccb08da30bd819d1f8399a12b271495b8c24bd16779e912c8f4e0ef15fe29e",
"path": "package.json"
},
{
"sha256": "6a04e75ccbd3f5d622ca2a4dc4df6eeb514e0eef67372bf7bd36bdc1e7e38534",
"tlsh": "563309840ba721710923b93a572f9485b6b9a1370628fd55bc5c67b09fbf32cd2f1d88",
"path": "umd/index.js"
}
],
"package_integrity": [
{
"filename": "becryptjs-3.0.8.tgz",
"hashes": {
"sha512_sri": "sha512-aE2vcrmfgSkpno/ZP0xmT2RT+hyGDP57pkWa48bL9sZY/Dx+Ps9BJlAyq9onLX5CaemH3ZzV9lfxhnuOUVlxHg==",
"sha1": "f13e2a34533370ae2bf2c338e51de7ef7d76968c"
}
}
]
}
[
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
},
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
},
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
}
]
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@bcryptln/becryptjs/MAL-2026-10162.json"