MAL-2026-10420

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/path-addon-extend/MAL-2026-10420.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10420
Published
2026-07-13T06:59:11Z
Modified
2026-07-13T07:47:04.049297081Z
Summary
Malicious code in path-addon-extend (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (b383636076e2701a372675c281ee82463d97529ed7d8db027276aa8a8b68b966)

path-addon-extend presents itself as a copy of Node's built-in path module. On module load, path.js issues an HTTPS GET to a base64-obscured URL that decodes to https://json.extendsclass.com/bin/567893d4e220 and passes the response's .content field directly to eval(). The destination is a public JSON-bin service whose contents can be mutated at any time by the publisher (or anyone in possession of the bin token), giving arbitrary remote code execution in any process that requires this package. The endpoint is stored as a base64 literal decoded via atob(...) at call time rather than as a plain string, concealing the destination in a package that otherwise mirrors the Node core path module.

Database specific
{
    "malicious-packages-origins": [
        {
            "sha256": "60906e93ae3b838d259b7ebdb6874779e3c2f83d652488cf3b0039a4844a4db3",
            "id": "IN-MAL-2026-009851",
            "modified_time": "2026-07-13T06:59:17Z",
            "versions": [
                "1.0.7"
            ],
            "import_time": "2026-07-13T07:40:13.227841771Z",
            "source": "amazon-inspector"
        },
        {
            "versions": [
                "1.0.8"
            ],
            "id": "IN-MAL-2026-009850",
            "import_time": "2026-07-13T07:40:13.158063878Z",
            "modified_time": "2026-07-13T06:59:11Z",
            "sha256": "b383636076e2701a372675c281ee82463d97529ed7d8db027276aa8a8b68b966",
            "source": "amazon-inspector"
        }
    ]
}
References
Credits

Affected packages

npm / path-addon-extend

Package

Affected ranges

Affected versions

1.*
1.0.7
1.0.8

Database specific

indicators
{
    "evidence_files": [
        {
            "sha256": "d429f669b0a35fef8f0b016641ebd6a87d494f5ff11c7d41ee8b43ab129d7d39",
            "tlsh": "8972a644594571499a3677b0df0a340ef77684f35215ab00f89cea502f72e78a2feee8",
            "path": "path.js"
        }
    ],
    "package_integrity": [
        {
            "filename": "path-addon-extend-1.0.7.tgz",
            "hashes": {
                "sha512_sri": "sha512-aOOTlsTf8snrbd/Ff7ZjrAoeWMcV2lTMfnhKONgLLZ0PWklV2Ob6vL4Ki1UOSqyGW9NJAzMurGeT92Afe+xmyg==",
                "sha1": "f36a3492a442fd47e6be006cc48f23f61836e2dd"
            }
        }
    ]
}
cwes
[
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/path-addon-extend/MAL-2026-10420.json"