MAL-2026-2930
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/path-internal/MAL-2026-2930.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-2930
- Published
- 2026-04-14T10:53:25Z
- Modified
- 2026-05-26T06:02:49.021846121Z
- Summary
- Malicious code in path-internal (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (5393cf6d8cf49c2550e7cc90ff3de58b1e97bdc89183f63beae60b3e46b9d2e0)
The package presents itself as a copy of the Node.js core
pathmodule (namepath-internal, README: "exact copy of the NodeJS 'path' module") and ships the upstream Joyent path implementation with a malicious dropper spliced betweenposix.basenameandposix.extnameinpath.js. Onrequire('path-internal'), the module decodes a base64-encoded URL (https://www.jsonkeeper.com/b/YCW2F, stored under the misleading variable namerandomStringRe), fetches the JSON document at that URL, and passesdata.contentstraight toeval(). A second identical IIFE forhttps://www.jsonkeeper.com/b/TPQHEis present (commented out) undertokenStringRe. jsonkeeper.com is an anonymous, mutable paste host: the attacker can change the served payload at any time to execute arbitrary code in-process on every installer that imports the package. The base64 obfuscation, the regex-shaped decoy variable names, the splice into a verbatim copy of a Node stdlib module, and the typosquat name (with the README also confusingly suggestingnpm install --save path-external) collectively confirm malicious intent rather than negligence.Source: ossf-package-analysis (37a46ea303cb680cff00791b29be183770a5eb1edaef69ce37b97327243deeea)
The OpenSSF Package Analysis project identified 'path-internal' @ 1.0.10 (npm) as malicious.
It is considered malicious because:
The package communicates with a domain associated with malicious activity.
The package executes one or more commands associated with malicious behavior.
- Database specific
{ "malicious-packages-origins": [ { "source": "ossf-package-analysis", "sha256": "37a46ea303cb680cff00791b29be183770a5eb1edaef69ce37b97327243deeea", "modified_time": "2026-04-14T10:53:25Z", "import_time": "2026-04-20T04:35:28.98285502Z", "versions": [ "1.0.10" ] }, { "source": "ossf-package-analysis", "sha256": "3ffd83abacf171f62d4ab24cb566309928d5ae7d0fa65b7b8dd9cb6adafb0b99", "modified_time": "2026-04-17T20:50:36Z", "versions": [ "1.0.11" ], "import_time": "2026-04-20T04:35:29.310441798Z" }, { "source": "amazon-inspector", "sha256": "abc4831453df57bac423574143b194320835024fc24fdc838ee77b08db8a4e52", "modified_time": "2026-04-23T20:43:56Z", "versions": [ "1.0.10", "1.0.11" ], "import_time": "2026-04-23T20:49:13.97191322Z" }, { "source": "ossf-package-analysis", "sha256": "69a980bf55ae1f73da093b3b7c1a29a2036d779a4eaefa932d35a7190bef8f56", "modified_time": "2026-05-01T07:37:53Z", "versions": [ "1.0.12" ], "import_time": "2026-05-04T03:13:19.953289264Z" }, { "source": "ossf-package-analysis", "sha256": "b6bf7ad436a59244e2afc4824dd817d97fea9639a779630425bba77546be2708", "modified_time": "2026-05-25T17:03:12Z", "import_time": "2026-05-26T00:54:39.689491526Z", "versions": [ "1.0.14" ] }, { "sha256": "b6f9fdab17c04f83092e8be5cd40659ff6a7fd4ba936ee30fd1ae03e92311e2e", "source": "amazon-inspector", "modified_time": "2026-05-25T15:28:53Z", "import_time": "2026-05-26T05:53:07.00310722Z", "id": "IN-MAL-2026-004702", "versions": [ "1.0.13" ] }, { "sha256": "2e41b4e12365824a7df50e3711c5c1d31e64ca4972e2571fa79082d18efa1844", "source": "amazon-inspector", "modified_time": "2026-05-25T16:14:35Z", "import_time": "2026-05-26T05:53:09.06108946Z", "id": "IN-MAL-2026-004718", "versions": [ "1.0.14" ] }, { "source": "amazon-inspector", "sha256": "5393cf6d8cf49c2550e7cc90ff3de58b1e97bdc89183f63beae60b3e46b9d2e0", "modified_time": "2026-05-25T16:10:18Z", "versions": [ "1.0.14" ], "import_time": "2026-05-26T05:53:08.930672262Z", "id": "IN-MAL-2026-004717" }, { "source": "amazon-inspector", "sha256": "a19a0df6f7e1346a46e8a6d85d06ecf9fc66090ecd3dd5f017c5308a1525bf7f", "modified_time": "2026-05-25T15:28:53Z", "id": "IN-MAL-2026-004701", "versions": [ "1.0.13" ], "import_time": "2026-05-26T05:53:06.91103367Z" } ] }- References
- Credits
-
-
- Amazon Inspector - FINDER
-
- OpenSSF: Package Analysis - FINDER
-
Affected packages
npm / path-internal
Package
- Name
- path-internal
- View open source insights on deps.dev
- Purl
- pkg:npm/path-internal
Database specific
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/path-internal/MAL-2026-2930.json"
indicators
{
"domains": [
"www.jsonkeeper.com"
],
"package_integrity": [
{
"filename": "path-internal-1.0.14.tgz",
"hashes": {
"sha1": "2bfd7c233875c9c083ac2ab6788b96c152c77310",
"sha512_sri": "sha512-SGhhcA9/55KjQFUm0NK0aIaSEIm0CiTbNFMm4qICfUYfazXSQxQe9Dbb63C0Z9qjkH2h44cZheYtl+s3UH3LPw=="
}
}
],
"evidence_files": [
{
"path": "path.js",
"tlsh": "6182a5045946255a9a3677b0df0a340ef77684f34315ab00f89ce6502f72e78a2feed8",
"sha256": "756a8386bde78c2359fa7822a7d5a073fc7dd73d9022f2b6b221b57d267788aa"
},
{
"sha256": "25f7cc92174323df15dc190277845dc2a891a4b153e811f344c780f6268b1eac",
"tlsh": "e2e0df31cd46ec3304e522a43d35461ba1a18d4b0806f80923829b4c9b8e5afa0b83ac",
"path": "package.json"
}
]
}
cwes
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]