MAL-2026-2526

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/request-js-validator/MAL-2026-2526.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-2526

Published

2026-04-06T16:07:02Z

Modified

2026-04-10T17:35:18.875272Z

Summary

Malicious code in request-js-validator (npm)

Details

Copy of 'request' library with injected payload. Spawns detached child process that fetches stage-2 and executes via new Function.constructor('require', payload). Same pattern as express-session-js.

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (2d5a657a9a3d02a6e081dad40434d93af76f1015495e2fddb11328d88f453063)

The package request-js-validator was found to contain malicious code.

Database specific

{
    "malicious-packages-origins": [
        {
            "modified_time": "2026-04-10T17:02:58Z",
            "versions": [
                "1.0.2"
            ],
            "sha256": "2d5a657a9a3d02a6e081dad40434d93af76f1015495e2fddb11328d88f453063",
            "source": "amazon-inspector",
            "import_time": "2026-04-10T17:21:50.779095975Z"
        }
    ]
}

References

https://app.safedep.io/community/malysis/01KNHMYET4MGB6AB4C722F53MR

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com
- SafeDep - FINDER
- - https://safedep.io

Affected packages

npm / request-js-validator

Package

Name: request-js-validator; View open source insights on deps.dev
Purl: pkg:npm/request-js-validator

Affected ranges

Affected versions

1.*

1.0.2

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/request-js-validator/MAL-2026-2526.json"