MAL-2026-4475
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/aes-decode-runner-pro/MAL-2026-4475.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-4475
- Published
- 2026-05-25T16:36:18Z
- Modified
- 2026-05-26T17:01:46.219734979Z
- Summary
- Malicious code in aes-decode-runner-pro (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (2d889fb0fd8c7bc4564c187d81448427b737ff7fe4b78a7ffe6a23c429b83b93)
On
require('aes-decode-runner-pro'), the entry pointindex.jsimmediately invokespkg.run()(lines 1-3:const pkg = require("./custom-codec"); pkg.run();), which AES-256-GCM-decrypts a hardcoded ciphertext bundle using a hardcoded passphrase and salt shipped insrc/config/defaults.js(DEFAULT_AES_PASSPHRASE = "default-dev-passphrase",DEFAULT_AES_SALT = "encode-npm-c-salt",DEFAULT_FINAL_ENCODED_TEXT = "wHKEM3UBnIY0UBU6:..."), passes the result through two additional custom codecs, and finally executes the cleartext withnew Function(String(decoded.decodedPlainText))()atsrc/pipeline/custom-codec-pipeline.js:54. The README advertises only library functions and does not disclose this auto-execution behavior. Layered obfuscation (position codec + encode-decode codec + AES-GCM with an embedded key) whose sole in-package consumer is the load-timerun()entry serves only to hide executable code from static review; the consuming developer cannot determine what runs without first executing it. The decrypted payload is fully attacker-controlled and runs in the installer's Node process whenever any downstream module imports this package. - Database specific
{ "malicious-packages-origins": [ { "source": "amazon-inspector", "sha256": "21c4286de42cc9b421b7bfb8451075f5fac3d004439cc19a78ffd3d6103e2935", "modified_time": "2026-05-25T16:44:05Z", "versions": [ "1.0.3" ], "import_time": "2026-05-26T05:53:09.849927162Z", "id": "IN-MAL-2026-004725" }, { "source": "amazon-inspector", "sha256": "7d2e4d5ff40593da9616ad9c185d324e9bd84253c7e73c63bbefb0e8ba84a5f0", "modified_time": "2026-05-25T16:40:25Z", "id": "IN-MAL-2026-004724", "versions": [ "1.0.2" ], "import_time": "2026-05-26T05:53:09.755170225Z" }, { "source": "amazon-inspector", "sha256": "abc470bfaa7f07d0b5c447c9340ea97f9623545acc703b8a143d4a49737bb50a", "modified_time": "2026-05-25T17:15:20Z", "versions": [ "1.0.5" ], "import_time": "2026-05-26T05:53:10.283669433Z", "id": "IN-MAL-2026-004729" }, { "source": "amazon-inspector", "sha256": "2d889fb0fd8c7bc4564c187d81448427b737ff7fe4b78a7ffe6a23c429b83b93", "modified_time": "2026-05-25T16:36:18Z", "versions": [ "1.0.1" ], "import_time": "2026-05-26T05:53:09.607864311Z", "id": "IN-MAL-2026-004723" }, { "source": "amazon-inspector", "sha256": "3343f3d9d7dfd91a206c28e4ec52f4615b830a46638d61e8dcea5a646c60dee1", "modified_time": "2026-05-26T15:33:27Z", "import_time": "2026-05-26T16:47:31.858420721Z", "id": "IN-MAL-2026-004931", "versions": [ "1.0.7" ] }, { "source": "amazon-inspector", "sha256": "5b57b940dbe6e5a732434a0f96f3d6e2253b147036af520642a17941e052b175", "modified_time": "2026-05-26T15:54:00Z", "versions": [ "1.0.8" ], "import_time": "2026-05-26T16:47:31.944290505Z", "id": "IN-MAL-2026-004933" }, { "sha256": "62b62112b1522fd678caca77d9627e6cf0bb1187188b1946655ae69e8efb1271", "source": "amazon-inspector", "modified_time": "2026-05-26T15:29:45Z", "import_time": "2026-05-26T16:47:31.818950899Z", "id": "IN-MAL-2026-004930", "versions": [ "1.0.6" ] } ] }- References
-
- https://www.npmjs.com/package/aes-decode-runner-pro/v/1.0.3
- https://www.npmjs.com/package/aes-decode-runner-pro/v/1.0.2
- https://www.npmjs.com/package/aes-decode-runner-pro/v/1.0.5
- https://www.npmjs.com/package/aes-decode-runner-pro/v/1.0.1
- https://www.npmjs.com/package/aes-decode-runner-pro/v/1.0.7
- https://www.npmjs.com/package/aes-decode-runner-pro/v/1.0.8
- https://www.npmjs.com/package/aes-decode-runner-pro/v/1.0.6
- Credits
-
-
- Amazon Inspector - FINDER
-
Affected packages
npm / aes-decode-runner-pro
Package
- Name
- aes-decode-runner-pro
- View open source insights on deps.dev
- Purl
- pkg:npm/aes-decode-runner-pro
Database specific
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/aes-decode-runner-pro/MAL-2026-4475.json"
indicators
{
"package_integrity": [
{
"filename": "aes-decode-runner-pro-1.0.3.tgz",
"hashes": {
"sha1": "11a8d8b7a152141f33133341294808a594772247",
"sha512_sri": "sha512-8h37en6h3BeBKj6GJgGYMQ6dev2kzXrdo/SmFnbmmX8JtyuRHoRFUb6Cc6FuSCHZGsbJxxDX9uyXUPzNjNFXoA=="
}
}
],
"evidence_files": [
{
"path": "index.js",
"tlsh": "bea0247143f13370301440c0d005055144cfc3d3314070404d45d5d041cdc400133c40",
"sha256": "ff42378f9099a83109c6143d8daad35d740db606a89639e61ece311100aef5f1"
},
{
"sha256": "737deb01c41226ede865573174fa8787cdbf461cf78d8cf298bf9765b2b60aa3",
"tlsh": "cd01b8207fa907a979601fe854386ce7b463f43ab50bb2850c3a82d242ee44304a568c",
"path": "src/config/defaults.js"
}
]
}
cwes
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]