MAL-2026-10437

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/jsonfb/MAL-2026-10437.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10437
Published
2026-07-13T09:17:31Z
Modified
2026-07-13T10:47:04.273806795Z
Summary
Malicious code in jsonfb (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (7fc07bf73ed684a1d555baa4dc6cadcd170bde4da4779ef62c0dd3f9cf02c99a)

Package jsonfb@1.1.0 is presented as a JSON.parse bigint helper (mimicking json-bigint, and re-using the real json-bigint maintainer's name in package.json while the repository URL points at an unrelated org). The entire 471 KB index.js is packed with obfuscator.io (rotating 3004-entry string array, RC4-based string decoder, self-defending debugger check, control-flow flattening) that hides all require targets, destination URLs, and config keys. Behind the obfuscation, the module pulls vm, fs, os, http, https, crypto and implements fetchRemoteRiskCode, which HTTP-GETs base64-encoded JavaScript from a set of remoteCodeUrls, decodes it with Buffer.from(data.code,'base64'), and executes it via new vm.Script(code,{filename,timeout}).runInContext(sandboxContext) inside a SandboxManager that exposes fs, os, path, childprocess, http, and require to the fetched code. A startRiskCodePolling loop (default 30s) auto-starts when NODEENV=production or when RISKCODEAUTO_START is set. A companion remoteLog path builds HMAC-MD5-signed POSTs (signWithMD5 with hardcoded signSecretKey/signSecretValue) to remoteLogUrls to ship runtime state and sandbox output back to the operator. The obfuscation, the impersonated author identity, the typosquat name, and the require-time remote-code-execution + signed exfiltration channel together constitute a live C2/dropper delivered as a fake JSON parser.

Database specific
{
    "malicious-packages-origins": [
        {
            "sha256": "7fc07bf73ed684a1d555baa4dc6cadcd170bde4da4779ef62c0dd3f9cf02c99a",
            "id": "IN-MAL-2026-010174",
            "import_time": "2026-07-13T10:37:34.826441672Z",
            "modified_time": "2026-07-13T09:17:31Z",
            "versions": [
                "1.1.0"
            ],
            "source": "amazon-inspector"
        },
        {
            "sha256": "98848bd28a5e3618e7db4e91a9186f70be344122f20a963317063ca52badd0b3",
            "id": "IN-MAL-2026-010177",
            "import_time": "2026-07-13T10:37:35.080466974Z",
            "modified_time": "2026-07-13T09:17:54Z",
            "versions": [
                "1.1.0-beta.1"
            ],
            "source": "amazon-inspector"
        },
        {
            "sha256": "cc9554116a6b3a8cb431a21bbfe2f603f8ace900d2f7da8aac59178461157c4f",
            "id": "IN-MAL-2026-010178",
            "import_time": "2026-07-13T10:37:35.16099686Z",
            "modified_time": "2026-07-13T09:18:02Z",
            "versions": [
                "1.1.0-beta.2"
            ],
            "source": "amazon-inspector"
        }
    ]
}
References
Credits

Affected packages

npm / jsonfb

Package

Affected ranges

Affected versions

1.*
1.1.0-beta.1
1.1.0-beta.2
1.1.0

Database specific

indicators
{
    "package_integrity": [
        {
            "filename": "jsonfb-1.1.0-beta.1.tgz",
            "hashes": {
                "sha512_sri": "sha512-lNBIS+g1L2vU1l6jjrXG4lGrctxDUJ9Ku3RzyAk5uUn3M3jvZV9tXSm+ik879K1xcrOOfxrdoM+FzU/8LiZPSg==",
                "sha1": "095b89d4544d5c6fdaed3c138320f9a7825614a4"
            }
        }
    ],
    "evidence_files": [
        {
            "sha256": "57f0f45bba6668ed3e98cbd6ea939501f03d5ca248f00489b5629d67d46f0ac6",
            "tlsh": "89a4c19467c0e40762cf0b53ff06bae9e56ba9b674c8a8478664799d25bc107c1f0ef0",
            "path": "index.js"
        },
        {
            "sha256": "776be8428a91158eef4e02cb7cfde8051e4a863708dbb5d85b6e3fd4293504e6",
            "tlsh": "cef0e230c174aea30add6b90ac9a2846a9434c679894fc283793111d9fee52f55fd2bc",
            "path": "package.json"
        }
    ]
}
cwes
[
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/jsonfb/MAL-2026-10437.json"