-= Per source details. Do not edit below this line.=-
The package presents itself as a copy of the Node.js core path module (name path-internal, README: "exact copy of the NodeJS 'path' module") and ships the upstream Joyent path implementation with a malicious dropper spliced between posix.basename and posix.extname in path.js. On require('path-internal'), the module decodes a base64-encoded URL (https://www.jsonkeeper.com/b/YCW2F, stored under the misleading variable name randomStringRe), fetches the JSON document at that URL, and passes data.content straight to eval(). A second identical IIFE for https://www.jsonkeeper.com/b/TPQHE is present (commented out) under tokenStringRe. jsonkeeper.com is an anonymous, mutable paste host: the attacker can change the served payload at any time to execute arbitrary code in-process on every installer that imports the package. The base64 obfuscation, the regex-shaped decoy variable names, the splice into a verbatim copy of a Node stdlib module, and the typosquat name (with the README also confusingly suggesting npm install --save path-external) collectively confirm malicious intent rather than negligence.
The OpenSSF Package Analysis project identified 'path-internal' @ 1.0.10 (npm) as malicious.
It is considered malicious because:
The package communicates with a domain associated with malicious activity.
The package executes one or more commands associated with malicious behavior.
{
"malicious-packages-origins": [
{
"sha256": "37a46ea303cb680cff00791b29be183770a5eb1edaef69ce37b97327243deeea",
"import_time": "2026-04-20T04:35:28.98285502Z",
"modified_time": "2026-04-14T10:53:25Z",
"source": "ossf-package-analysis",
"versions": [
"1.0.10"
]
},
{
"sha256": "3ffd83abacf171f62d4ab24cb566309928d5ae7d0fa65b7b8dd9cb6adafb0b99",
"versions": [
"1.0.11"
],
"import_time": "2026-04-20T04:35:29.310441798Z",
"source": "ossf-package-analysis",
"modified_time": "2026-04-17T20:50:36Z"
},
{
"sha256": "abc4831453df57bac423574143b194320835024fc24fdc838ee77b08db8a4e52",
"versions": [
"1.0.10",
"1.0.11"
],
"import_time": "2026-04-23T20:49:13.97191322Z",
"source": "amazon-inspector",
"modified_time": "2026-04-23T20:43:56Z"
},
{
"sha256": "69a980bf55ae1f73da093b3b7c1a29a2036d779a4eaefa932d35a7190bef8f56",
"import_time": "2026-05-04T03:13:19.953289264Z",
"modified_time": "2026-05-01T07:37:53Z",
"source": "ossf-package-analysis",
"versions": [
"1.0.12"
]
},
{
"sha256": "b6bf7ad436a59244e2afc4824dd817d97fea9639a779630425bba77546be2708",
"import_time": "2026-05-26T00:54:39.689491526Z",
"modified_time": "2026-05-25T17:03:12Z",
"source": "ossf-package-analysis",
"versions": [
"1.0.14"
]
},
{
"versions": [
"1.0.13"
],
"sha256": "b6f9fdab17c04f83092e8be5cd40659ff6a7fd4ba936ee30fd1ae03e92311e2e",
"import_time": "2026-05-26T05:53:07.00310722Z",
"modified_time": "2026-05-25T15:28:53Z",
"source": "amazon-inspector",
"id": "IN-MAL-2026-004702"
},
{
"source": "amazon-inspector",
"sha256": "2e41b4e12365824a7df50e3711c5c1d31e64ca4972e2571fa79082d18efa1844",
"import_time": "2026-05-26T05:53:09.06108946Z",
"modified_time": "2026-05-25T16:14:35Z",
"id": "IN-MAL-2026-004718",
"versions": [
"1.0.14"
]
},
{
"import_time": "2026-05-26T05:53:08.930672262Z",
"sha256": "5393cf6d8cf49c2550e7cc90ff3de58b1e97bdc89183f63beae60b3e46b9d2e0",
"modified_time": "2026-05-25T16:10:18Z",
"versions": [
"1.0.14"
],
"id": "IN-MAL-2026-004717",
"source": "amazon-inspector"
},
{
"modified_time": "2026-05-25T15:28:53Z",
"sha256": "a19a0df6f7e1346a46e8a6d85d06ecf9fc66090ecd3dd5f017c5308a1525bf7f",
"versions": [
"1.0.13"
],
"import_time": "2026-05-26T05:53:06.91103367Z",
"source": "amazon-inspector",
"id": "IN-MAL-2026-004701"
},
{
"source": "amazon-inspector",
"sha256": "185fac17d53eeb731bbed369b674ab4669fa08230adb48a218362850eced5116",
"import_time": "2026-06-08T21:15:22.39933678Z",
"modified_time": "2026-06-08T20:30:15Z",
"id": "IN-MAL-2026-004938",
"versions": [
"1.0.15"
]
},
{
"source": "amazon-inspector",
"sha256": "e966da8efc781225d9f41e938d651f4d9e98046c3b7ed345733bd2846c935b95",
"import_time": "2026-06-08T21:15:22.484880632Z",
"modified_time": "2026-06-08T20:30:16Z",
"id": "IN-MAL-2026-004939",
"versions": [
"1.0.15"
]
},
{
"source": "reversing-labs",
"sha256": "480c9f15a8cecfb3bbaaf933a44dbf709c64db1eb1064dcb6da80bf83c119c63",
"import_time": "2026-07-09T09:16:41.54418022Z",
"modified_time": "2026-07-07T13:03:35Z",
"id": "RLMA-2026-05206",
"versions": [
"1.0.0",
"1.0.1",
"1.0.2",
"1.0.3",
"1.0.4",
"1.0.5",
"1.0.6",
"1.0.7",
"1.0.8",
"1.0.9",
"1.0.10",
"1.0.11",
"1.0.12",
"1.0.13",
"1.0.14"
]
}
]
}[
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
},
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
},
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
}
]
{
"package_integrity": [
{
"filename": "path-internal-1.0.14.tgz",
"hashes": {
"sha1": "2bfd7c233875c9c083ac2ab6788b96c152c77310",
"sha512_sri": "sha512-SGhhcA9/55KjQFUm0NK0aIaSEIm0CiTbNFMm4qICfUYfazXSQxQe9Dbb63C0Z9qjkH2h44cZheYtl+s3UH3LPw=="
}
}
],
"evidence_files": [
{
"tlsh": "6182a5045946255a9a3677b0df0a340ef77684f34315ab00f89ce6502f72e78a2feed8",
"sha256": "756a8386bde78c2359fa7822a7d5a073fc7dd73d9022f2b6b221b57d267788aa",
"path": "path.js"
},
{
"tlsh": "e2e0df31cd46ec3304e522a43d35461ba1a18d4b0806f80923829b4c9b8e5afa0b83ac",
"sha256": "25f7cc92174323df15dc190277845dc2a891a4b153e811f344c780f6268b1eac",
"path": "package.json"
}
],
"domains": [
"www.jsonkeeper.com"
]
}
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/path-internal/MAL-2026-2930.json"