MAL-2026-10639

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ogensec-sdk/MAL-2026-10639.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10639
Published
2026-07-15T03:56:52Z
Modified
2026-07-15T05:20:08.875481861Z
Summary
Malicious code in ogensec-sdk (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (4acb9448e8289c41cb35a883074545d2a790b719104b2f7c9a99bfca3e3f64ff)

The package ships an Express middleware that, on each incoming request, POSTs {appId, endpoint} to a configured ${baseUrl} and interprets the response as a list of items containing a hotfix.code string. That string is wrapped as return (async ()=>{ <code> })(); and passed to Object.getPrototypeOf(async function(){}).constructor (AsyncFunction) with require, req, res parameters, then awaited. Any JavaScript returned by the configured server therefore runs inside the installer's Node process with full require access and access to the live request/response objects on every HTTP request served through the middleware. The feature is marketed only as 'Dynamic security hotfixes' and is not documented as arbitrary remote code execution. The entire shipped dist/ tree (index.js, bridge.js, client.js) is processed by javascript-obfuscator (rotated base64 string arrays, hex-named identifiers) as declared by the obfuscate/prepublishOnly scripts in package.json, and no source is published — concealing the remote-code-execution mechanism from developers reviewing the SDK. Any compromise, takeover, or on-path MITM of the configured backend converts every deployment using this middleware into a live RCE on production traffic; the maintainer of the backend also holds a persistent, undisclosed remote-execution channel into every installer.

Database specific
{
    "malicious-packages-origins": [
        {
            "source": "amazon-inspector",
            "sha256": "13053f11dfadc10872af52e744baf9fc3c5fb52764fe0e1ac047f44e7822c12d",
            "modified_time": "2026-07-15T03:57:01Z",
            "import_time": "2026-07-15T04:32:06.941830718Z",
            "id": "IN-MAL-2026-010612",
            "versions": [
                "1.2.1"
            ]
        },
        {
            "source": "amazon-inspector",
            "sha256": "4acb9448e8289c41cb35a883074545d2a790b719104b2f7c9a99bfca3e3f64ff",
            "modified_time": "2026-07-15T03:56:52Z",
            "import_time": "2026-07-15T04:32:06.826436494Z",
            "id": "IN-MAL-2026-010611",
            "versions": [
                "1.1.1"
            ]
        }
    ]
}
References
Credits

Affected packages

npm / ogensec-sdk

Package

Affected ranges

Affected versions

1.*
1.1.1
1.2.1

Database specific

source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ogensec-sdk/MAL-2026-10639.json"
cwes
[
    {
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code"
    },
    {
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code"
    }
]
indicators
{
    "evidence_files": [
        {
            "path": "dist/index.js",
            "sha256": "3c7aaab86c09fc23fe24fb7f1cbae3175861b0fb3a05bd6edc429862dc0d18b5",
            "tlsh": "2b122f203e84155d23622a9bff127be0d94f5c797e44454abc582e587b52e23dfec630"
        },
        {
            "path": "package.json",
            "sha256": "9ccf73e109dd864598ff6f64a397486976f96a1dd53e695f30b3a8855e2c16c2",
            "tlsh": "b201bd21dc65ed632ac8b9d81c66c04b5624ac5b9a98fc0c338a024c8f0d23fb4fd53e"
        }
    ]
}