MAL-2026-4466

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@weirdorg/config/MAL-2026-4466.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-4466

Published

2026-05-20T07:28:26Z

Modified

2026-05-26T06:02:07.119769015Z

Summary

Malicious code in @weirdorg/config (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (b28e2fe6ac03c8e426aeb69f62bf0b2bd4dfdb06a5acee273bb5967186c5504d)

@weirdorg/config impersonates the widely-used config (node-config) package, copying its README verbatim including the require('config') usage example. The package's index.js redirects to ./lib/load.js, a ~422 KB file protected with obfuscator.io-style RC4 string-array decoding wrapping a custom VM interpreter. The VM captures the host require, module, exports, __dirname, and __filename into a global context and then evaluates multiple large base64-encoded bytecode payloads (e.g. _0x191ca6=["AcIHAQAEBOjIWW0O8b9jdskw9QJh7xQQCAAF7QEDACYE..."]). The code also references execArgv, inspector, and SIGUSR1 — debugger-evasion strings with no place in a configuration library. Because lib/load.js is loaded immediately by index.js, opaque attacker-controlled code executes the moment any consumer runs require('@weirdorg/config'). The combination of (a) name confusion against a top-tier registry package, (b) verbatim README copy to mislead installers, (c) replaced entrypoint pointing at a heavily obfuscated VM, and (d) captured host require/module handles plus interpreted bytecode is the canonical malicious-loader shape — the exact network/exec behavior is intentionally hidden behind two layers of obfuscation, but arbitrary code execution in the installer's Node process is implicit in the design.

Database specific

{
    "malicious-packages-origins": [
        {
            "sha256": "b28e2fe6ac03c8e426aeb69f62bf0b2bd4dfdb06a5acee273bb5967186c5504d",
            "source": "amazon-inspector",
            "modified_time": "2026-05-20T07:28:26Z",
            "versions": [
                "1.0.3"
            ],
            "id": "IN-MAL-2026-003485",
            "import_time": "2026-05-26T05:50:43.842325503Z"
        }
    ]
}

References

https://www.npmjs.com/package/@weirdorg/config/v/1.0.3

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com

Affected packages

npm / @weirdorg/config

Package

Name: @weirdorg/config; View open source insights on deps.dev
Purl: pkg:npm/%40weirdorg%2Fconfig

Affected ranges

Affected versions

1.*

1.0.3

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@weirdorg/config/MAL-2026-4466.json"

indicators

{
    "package_integrity": [
        {
            "filename": "config-1.0.3.tgz",
            "hashes": {
                "sha1": "2be631637e8e954b15feb6fbca70cb9079d4feb6",
                "sha512_sri": "sha512-OkvZ2BfQeXLGM/hg8a8giBbNaMC7INGk92cInag5kNCJWlWief12OBCb8Af9+gjeapnRf82b4iUPRz8ptq4KXA=="
            }
        }
    ],
    "evidence_files": [
        {
            "path": "lib/load.js",
            "tlsh": "7f94c44272c574a1224f5bb2b73bb0d9f57a0ddc3a84084fd224fad2f966605eed9930",
            "sha256": "03657c5c4fee2e560ee39414f540357fede53468cdbe756f4808b266840a8b6c"
        }
    ]
}

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]