MAL-2026-4501
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/btd-smart/MAL-2026-4501.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-4501
- Published
- 2026-05-19T18:58:59Z
- Modified
- 2026-05-26T06:02:15.206526123Z
- Summary
- Malicious code in btd-smart (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (3ad22b27351879a89349a1232ee5abb46bc589399ea710b9769526a8080b3199)
The package presents itself as a clone of juliangruber/balanced-match (stolen author identity 'Julian Gruber mail@juliangruber.com', verbatim README, identical API renamed btdSmart, placeholder homepage 'github.com/your-org/btd-smart'). Appended to the legitimate code in index.js is an obfuscated block that runs unconditionally when the module is required. A custom string-shuffle decoder reconstructs the identifier 'constructor' (and other strings) without any literal occurrences in the file, retrieves the Function constructor from a string prototype, builds a function from a decoded source body, and invokes it. Before invocation, the code stashes
requireandmoduleontoglobalunder decoder-produced keys so the Function-built code — which otherwise has no closure scope — gains filesystem, network, and process capabilities. The payload body is opaque (deterministic numerical shuffle with 0x7F-based escape tricks across two nested decoders), executes on everyrequire('btd-smart'), and the legitimate balanced-match code above it has no obfuscation, confirming the appended block is purposefully hidden. Combined signals — typosquat with stolen identity, custom obfuscator, dynamic Function eval of a decoded blob at module load, deliberate global-smuggling of require/module — match the documented active-attack shape; no legitimate brace-matching utility needs any of these mechanisms. - Database specific
{ "malicious-packages-origins": [ { "id": "IN-MAL-2026-003259", "modified_time": "2026-05-19T19:12:27Z", "source": "amazon-inspector", "versions": [ "1.0.2" ], "sha256": "3ad22b27351879a89349a1232ee5abb46bc589399ea710b9769526a8080b3199", "import_time": "2026-05-26T05:50:18.572440252Z" }, { "id": "IN-MAL-2026-003250", "modified_time": "2026-05-19T18:58:59Z", "source": "amazon-inspector", "versions": [ "1.0.3" ], "sha256": "f99fec295e7e47a66efd1ddfef051e13f25e9139473356d8a79c1c1d612e2887", "import_time": "2026-05-26T05:50:17.604544963Z" } ] }- References
- Credits
-
-
- Amazon Inspector - FINDER
-
Affected packages
npm / btd-smart
Package
- Name
- btd-smart
- View open source insights on deps.dev
- Purl
- pkg:npm/btd-smart
Database specific
cwes
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/btd-smart/MAL-2026-4501.json"
indicators
{
"evidence_files": [
{
"tlsh": "c8125b840bc658e71233a9b84dcf4c05b62a6412322cf944ba6ef4905fd4e2d57faed8",
"path": "index.js",
"sha256": "d8bd60b2a63b9ee8f6172c79cb5914498e21607b1d31e38e2f1edade76608e16"
},
{
"tlsh": "00110329c1734c2706c42a91acae1293be11da174d59bc0ef38e010c8f4ea6f22fd75e",
"path": "package.json",
"sha256": "bb473daeb0a8fbc93755f3103833c9864d442829859bb91f6d17551ace145701"
}
],
"package_integrity": [
{
"filename": "btd-smart-1.0.2.tgz",
"hashes": {
"sha512_sri": "sha512-aPBHoL2A7LOh4PGCoVscTDXXXvz+R1mytr+DwBaGLxv+ZBWU9RBqdG4TlXCl1pl2T0XsuiPdKjDOAJ7z5i3rKQ==",
"sha1": "0318b76aaceeccf56e5a50a946324ca17699ca60"
}
}
]
}