-= Per source details. Do not edit below this line.=-
The package ships an Express middleware that, on each incoming request, POSTs {appId, endpoint} to a configured ${baseUrl} and interprets the response as a list of items containing a hotfix.code string. That string is wrapped as return (async ()=>{ <code> })(); and passed to Object.getPrototypeOf(async function(){}).constructor (AsyncFunction) with require, req, res parameters, then awaited. Any JavaScript returned by the configured server therefore runs inside the installer's Node process with full require access and access to the live request/response objects on every HTTP request served through the middleware. The feature is marketed only as 'Dynamic security hotfixes' and is not documented as arbitrary remote code execution. The entire shipped dist/ tree (index.js, bridge.js, client.js) is processed by javascript-obfuscator (rotated base64 string arrays, hex-named identifiers) as declared by the obfuscate/prepublishOnly scripts in package.json, and no source is published — concealing the remote-code-execution mechanism from developers reviewing the SDK. Any compromise, takeover, or on-path MITM of the configured backend converts every deployment using this middleware into a live RCE on production traffic; the maintainer of the backend also holds a persistent, undisclosed remote-execution channel into every installer.
{
"malicious-packages-origins": [
{
"source": "amazon-inspector",
"sha256": "13053f11dfadc10872af52e744baf9fc3c5fb52764fe0e1ac047f44e7822c12d",
"modified_time": "2026-07-15T03:57:01Z",
"import_time": "2026-07-15T04:32:06.941830718Z",
"id": "IN-MAL-2026-010612",
"versions": [
"1.2.1"
]
},
{
"source": "amazon-inspector",
"sha256": "4acb9448e8289c41cb35a883074545d2a790b719104b2f7c9a99bfca3e3f64ff",
"modified_time": "2026-07-15T03:56:52Z",
"import_time": "2026-07-15T04:32:06.826436494Z",
"id": "IN-MAL-2026-010611",
"versions": [
"1.1.1"
]
}
]
}"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ogensec-sdk/MAL-2026-10639.json"
[
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
}
]
{
"evidence_files": [
{
"path": "dist/index.js",
"sha256": "3c7aaab86c09fc23fe24fb7f1cbae3175861b0fb3a05bd6edc429862dc0d18b5",
"tlsh": "2b122f203e84155d23622a9bff127be0d94f5c797e44454abc582e587b52e23dfec630"
},
{
"path": "package.json",
"sha256": "9ccf73e109dd864598ff6f64a397486976f96a1dd53e695f30b3a8855e2c16c2",
"tlsh": "b201bd21dc65ed632ac8b9d81c66c04b5624ac5b9a98fc0c338a024c8f0d23fb4fd53e"
}
]
}