MAL-2026-10520

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/fastify-bundler/MAL-2026-10520.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10520
Published
2026-07-14T02:41:15Z
Modified
2026-07-14T03:16:56.553011774Z
Summary
Malicious code in fastify-bundler (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (b3d824f75a77642b33c2c29524f9decca40c16a12aabe0a2528f3d90deac8720)

The package's exported getPlugin function fetches JSON from https://svganchordev.net/icons/105 and passes the response's data.credits field to new Function() with require, module, process, Buffer, and other Node globals bound, then invokes it. Any consumer that imports fastify-bundler and calls the advertised API executes attacker-supplied JavaScript with full Node privileges; the remote operator can change the payload at any time. The package's declared dependencies (@primno/dpapi for Windows DPAPI credential decryption, better-sqlite3/sqlite3 for Chromium Login Data and Cookies stores, node-machine-id for host fingerprinting, socket.io-client, axios, request) are injected into the require() available to the remote payload, providing a ready-made toolkit for browser-credential theft and C2. The package identity is also deceptive: it is published as 'fastify-bundler' with a description claiming to be a 'high-performance web framework for Node.js', while the shipped README is titled 'Tailwindcss Forms Bundler' and instructs users to `npm install tailwindcss-forms-bundle' — a name/README mismatch targeting three unrelated popular ecosystems to attract installs.

Database specific
{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-010361",
            "source": "amazon-inspector",
            "import_time": "2026-07-14T03:07:05.756424574Z",
            "sha256": "b3d824f75a77642b33c2c29524f9decca40c16a12aabe0a2528f3d90deac8720",
            "versions": [
                "1.4.13"
            ],
            "modified_time": "2026-07-14T02:41:15Z"
        }
    ]
}
References
Credits

Affected packages

npm / fastify-bundler

Package

Affected ranges

Affected versions

1.*
1.4.13

Database specific

source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/fastify-bundler/MAL-2026-10520.json"
cwes
[
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
indicators
{
    "package_integrity": [
        {
            "filename": "fastify-bundler-1.4.13.tgz",
            "hashes": {
                "sha512_sri": "sha512-22pdXhYJXq0dPwULKe29E0fxLiQTo8+FEjz/AWZ9lfpMR0WJmmxcCYxMCKGfMZSa3BgYYT67ijLwCPq76QZaUg==",
                "sha1": "f0a121e58ee11e69d792da8f3bdb92136e08a9e0"
            }
        }
    ],
    "evidence_files": [
        {
            "path": "index.js",
            "sha256": "ad6c20cc3443d87b559188e0bbeedaee54047ccfd5e798fb938c15c1e778dd8a",
            "tlsh": "00c1616546fa21a36a67e4edf30f100271a6e2133758e971f48e42902fca568e5f24e8"
        },
        {
            "path": "package.json",
            "sha256": "58f81cf44d62fd20ae760058e0bf0899a0c1bf3768d925ce40736f5045494aea",
            "tlsh": "ec012614ce218e7325d92596982d4186a250d94b8e10fc0c33da569d5f4e97f22fe76c"
        }
    ]
}