MAL-2026-2798
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/request-easy-validator/MAL-2026-2798.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-2798
- Published
- 2026-04-16T10:15:30Z
- Modified
- 2026-05-26T06:02:53.294542397Z
- Summary
- Malicious code in request-easy-validator (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (59057b0a6f845ac1e8bfa571c4e26295e469abdd5c6faa2e68007ef78816ec9b)
request-easy-validator impersonates the popular
requestpackage (cloned README, bugs URL points at github.com/request/request, source is a fork ofrequest) and ships a hidden remote-code-execution dropper. index.js exports amiddlewarefunction (also exposed as default,.reqValidator, and.request) that, on any invocation by the consumer, spawns a detachednode lib/callers.jschild withstdio: 'ignore'andchild.unref()to hide it from the parent process. lib/callers.js then issues an HTTPS GET to https://jsonkeeper.com/b/PWEH9 (an anonymous, mutable, attacker-controlled paste host) with headerx-secret-key: _, takes the.Cookiefield from the response, and passes it tonew Function.constructor('require', s)invoked with the liverequire— granting the paste-host operator arbitrary Node.js code execution with full module access on any server using this package. The payload URL is mutable, so the attacker can change the executed code at any time without republishing the package. - Database specific
{ "malicious-packages-origins": [ { "modified_time": "2026-04-16T10:15:30Z", "versions": [ "1.1.0", "1.2.0", "1.2.1" ], "sha256": "8edcb2f860332561b7d9050d2ce2e2dcb82eecbbc51dc8c659ca4e741f70de1b", "id": "RLMA-2026-02035", "source": "reversing-labs", "import_time": "2026-04-16T15:39:16.491459746Z" }, { "import_time": "2026-04-23T20:48:59.140631663Z", "versions": [ "1.1.0", "1.2.0", "1.2.1" ], "sha256": "f6016a67de1924ce3156de3c59cb6f311ad9fe0151c129cd63dc56007576a369", "source": "amazon-inspector", "modified_time": "2026-04-23T20:43:56Z" }, { "modified_time": "2026-05-20T04:12:52Z", "versions": [ "1.0.6" ], "sha256": "59057b0a6f845ac1e8bfa571c4e26295e469abdd5c6faa2e68007ef78816ec9b", "id": "IN-MAL-2026-003458", "source": "amazon-inspector", "import_time": "2026-05-26T05:50:40.87663445Z" }, { "import_time": "2026-05-26T05:50:40.784672454Z", "versions": [ "1.0.7" ], "sha256": "59c86157ff92828c8f05107e9b16169821d937ef657d7fcbb19d6862242c07af", "id": "IN-MAL-2026-003457", "source": "amazon-inspector", "modified_time": "2026-05-20T04:12:27Z" } ] }- References
- Credits
-
-
- Amazon Inspector - FINDER
-
- ReversingLabs - FINDER
-
Affected packages
npm / request-easy-validator
Package
- Name
- request-easy-validator
- View open source insights on deps.dev
- Purl
- pkg:npm/request-easy-validator
Database specific
indicators
{
"evidence_files": [
{
"sha256": "9e82b0f3bea4634d83caf9fb953b559d92f0a1980e28439500e01d62e909e2d2",
"tlsh": "7001cb8f70ac545c09b013f6bb1fe436f621a46b390291d0375c87421f769ad6603eee",
"path": "lib/callers.js"
},
{
"sha256": "99eb2633488f428557d3222c324fdcd95fe719ab092fa3bb34f2263f79dd15bd",
"tlsh": "72415220cc6a8c931ec929e5687d5643b1a0e41bce41bc1d778a639c4f4e46f32b8f6d",
"path": "package.json"
},
{
"sha256": "356f24fff7af39ef7026879a2c571b3c81ee0ecf880078e24b25be69fe5642d6",
"tlsh": "87a1648526e373519aebb2d1e81f4229b675d223320e1a7178c587d81f0cc69d3b3dd5",
"path": "index.js"
}
],
"package_integrity": [
{
"hashes": {
"sha512_sri": "sha512-uyFVWy1EhsZI9PRvTMCwRYpUomfFeGVoGUfJ1F4nXRxtUMT/sigHG+5KbTF5zOuaJsXpomaUmRKr3+gdj1Mccw==",
"sha1": "cbc47e82cba4fdfeeab1ca30becb9e459061e49c"
},
"filename": "request-easy-validator-1.0.6.tgz"
}
]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/request-easy-validator/MAL-2026-2798.json"
cwes
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]