MAL-2026-2930

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/path-internal/MAL-2026-2930.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-2930
Published
2026-04-14T10:53:25Z
Modified
2026-07-09T09:32:58.585534259Z
Summary
Malicious code in path-internal (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (5393cf6d8cf49c2550e7cc90ff3de58b1e97bdc89183f63beae60b3e46b9d2e0)

The package presents itself as a copy of the Node.js core path module (name path-internal, README: "exact copy of the NodeJS 'path' module") and ships the upstream Joyent path implementation with a malicious dropper spliced between posix.basename and posix.extname in path.js. On require('path-internal'), the module decodes a base64-encoded URL (https://www.jsonkeeper.com/b/YCW2F, stored under the misleading variable name randomStringRe), fetches the JSON document at that URL, and passes data.content straight to eval(). A second identical IIFE for https://www.jsonkeeper.com/b/TPQHE is present (commented out) under tokenStringRe. jsonkeeper.com is an anonymous, mutable paste host: the attacker can change the served payload at any time to execute arbitrary code in-process on every installer that imports the package. The base64 obfuscation, the regex-shaped decoy variable names, the splice into a verbatim copy of a Node stdlib module, and the typosquat name (with the README also confusingly suggesting npm install --save path-external) collectively confirm malicious intent rather than negligence.

Source: ossf-package-analysis (37a46ea303cb680cff00791b29be183770a5eb1edaef69ce37b97327243deeea)

The OpenSSF Package Analysis project identified 'path-internal' @ 1.0.10 (npm) as malicious.

It is considered malicious because:

  • The package communicates with a domain associated with malicious activity.

  • The package executes one or more commands associated with malicious behavior.

Database specific
{
    "malicious-packages-origins": [
        {
            "sha256": "37a46ea303cb680cff00791b29be183770a5eb1edaef69ce37b97327243deeea",
            "import_time": "2026-04-20T04:35:28.98285502Z",
            "modified_time": "2026-04-14T10:53:25Z",
            "source": "ossf-package-analysis",
            "versions": [
                "1.0.10"
            ]
        },
        {
            "sha256": "3ffd83abacf171f62d4ab24cb566309928d5ae7d0fa65b7b8dd9cb6adafb0b99",
            "versions": [
                "1.0.11"
            ],
            "import_time": "2026-04-20T04:35:29.310441798Z",
            "source": "ossf-package-analysis",
            "modified_time": "2026-04-17T20:50:36Z"
        },
        {
            "sha256": "abc4831453df57bac423574143b194320835024fc24fdc838ee77b08db8a4e52",
            "versions": [
                "1.0.10",
                "1.0.11"
            ],
            "import_time": "2026-04-23T20:49:13.97191322Z",
            "source": "amazon-inspector",
            "modified_time": "2026-04-23T20:43:56Z"
        },
        {
            "sha256": "69a980bf55ae1f73da093b3b7c1a29a2036d779a4eaefa932d35a7190bef8f56",
            "import_time": "2026-05-04T03:13:19.953289264Z",
            "modified_time": "2026-05-01T07:37:53Z",
            "source": "ossf-package-analysis",
            "versions": [
                "1.0.12"
            ]
        },
        {
            "sha256": "b6bf7ad436a59244e2afc4824dd817d97fea9639a779630425bba77546be2708",
            "import_time": "2026-05-26T00:54:39.689491526Z",
            "modified_time": "2026-05-25T17:03:12Z",
            "source": "ossf-package-analysis",
            "versions": [
                "1.0.14"
            ]
        },
        {
            "versions": [
                "1.0.13"
            ],
            "sha256": "b6f9fdab17c04f83092e8be5cd40659ff6a7fd4ba936ee30fd1ae03e92311e2e",
            "import_time": "2026-05-26T05:53:07.00310722Z",
            "modified_time": "2026-05-25T15:28:53Z",
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-004702"
        },
        {
            "source": "amazon-inspector",
            "sha256": "2e41b4e12365824a7df50e3711c5c1d31e64ca4972e2571fa79082d18efa1844",
            "import_time": "2026-05-26T05:53:09.06108946Z",
            "modified_time": "2026-05-25T16:14:35Z",
            "id": "IN-MAL-2026-004718",
            "versions": [
                "1.0.14"
            ]
        },
        {
            "import_time": "2026-05-26T05:53:08.930672262Z",
            "sha256": "5393cf6d8cf49c2550e7cc90ff3de58b1e97bdc89183f63beae60b3e46b9d2e0",
            "modified_time": "2026-05-25T16:10:18Z",
            "versions": [
                "1.0.14"
            ],
            "id": "IN-MAL-2026-004717",
            "source": "amazon-inspector"
        },
        {
            "modified_time": "2026-05-25T15:28:53Z",
            "sha256": "a19a0df6f7e1346a46e8a6d85d06ecf9fc66090ecd3dd5f017c5308a1525bf7f",
            "versions": [
                "1.0.13"
            ],
            "import_time": "2026-05-26T05:53:06.91103367Z",
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-004701"
        },
        {
            "source": "amazon-inspector",
            "sha256": "185fac17d53eeb731bbed369b674ab4669fa08230adb48a218362850eced5116",
            "import_time": "2026-06-08T21:15:22.39933678Z",
            "modified_time": "2026-06-08T20:30:15Z",
            "id": "IN-MAL-2026-004938",
            "versions": [
                "1.0.15"
            ]
        },
        {
            "source": "amazon-inspector",
            "sha256": "e966da8efc781225d9f41e938d651f4d9e98046c3b7ed345733bd2846c935b95",
            "import_time": "2026-06-08T21:15:22.484880632Z",
            "modified_time": "2026-06-08T20:30:16Z",
            "id": "IN-MAL-2026-004939",
            "versions": [
                "1.0.15"
            ]
        },
        {
            "source": "reversing-labs",
            "sha256": "480c9f15a8cecfb3bbaaf933a44dbf709c64db1eb1064dcb6da80bf83c119c63",
            "import_time": "2026-07-09T09:16:41.54418022Z",
            "modified_time": "2026-07-07T13:03:35Z",
            "id": "RLMA-2026-05206",
            "versions": [
                "1.0.0",
                "1.0.1",
                "1.0.2",
                "1.0.3",
                "1.0.4",
                "1.0.5",
                "1.0.6",
                "1.0.7",
                "1.0.8",
                "1.0.9",
                "1.0.10",
                "1.0.11",
                "1.0.12",
                "1.0.13",
                "1.0.14"
            ]
        }
    ]
}
References
Credits

Affected packages

npm / path-internal

Package

Affected ranges

Affected versions

1.*
1.0.0
1.0.1
1.0.2
1.0.3
1.0.4
1.0.5
1.0.6
1.0.7
1.0.8
1.0.9
1.0.10
1.0.11
1.0.12
1.0.13
1.0.14
1.0.15

Database specific

cwes
[
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
indicators
{
    "package_integrity": [
        {
            "filename": "path-internal-1.0.14.tgz",
            "hashes": {
                "sha1": "2bfd7c233875c9c083ac2ab6788b96c152c77310",
                "sha512_sri": "sha512-SGhhcA9/55KjQFUm0NK0aIaSEIm0CiTbNFMm4qICfUYfazXSQxQe9Dbb63C0Z9qjkH2h44cZheYtl+s3UH3LPw=="
            }
        }
    ],
    "evidence_files": [
        {
            "tlsh": "6182a5045946255a9a3677b0df0a340ef77684f34315ab00f89ce6502f72e78a2feed8",
            "sha256": "756a8386bde78c2359fa7822a7d5a073fc7dd73d9022f2b6b221b57d267788aa",
            "path": "path.js"
        },
        {
            "tlsh": "e2e0df31cd46ec3304e522a43d35461ba1a18d4b0806f80923829b4c9b8e5afa0b83ac",
            "sha256": "25f7cc92174323df15dc190277845dc2a891a4b153e811f344c780f6268b1eac",
            "path": "package.json"
        }
    ],
    "domains": [
        "www.jsonkeeper.com"
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/path-internal/MAL-2026-2930.json"