MAL-2026-4503

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/bytecore/MAL-2026-4503.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-4503

Published

2026-05-19T16:57:09Z

Modified

2026-05-26T06:02:16.441614374Z

Summary

Malicious code in bytecore (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (1c1ddd2dea35052822d2dc89f0f46ceae20c772c257e0c97f0024483e9ff31c0)

The package masquerades as a pino-like logging middleware (README is copied from pino, exports a pino property, mimics pino's option shape) but the middleware factory in index.js spawns a detached node lib/caller.js child process when the exported function is invoked. lib/caller.js obfuscates a hardcoded C2 URL by shadowing the real process global with a local object whose env holds base64-encoded strings; decoding DEV_API_KEY yields https://jsonkeeper.com/b/BADC6. The script GETs that anonymous, mutable paste host with axios (retried 5 times) and passes the response body to new Function.constructor("require", s)(require), executing attacker-controlled JavaScript with full Node privileges and direct access to require. Any application that installs bytecore and mounts the middleware (app.use(require('bytecore')())) runs whatever code the paste currently serves. The combination of (a) mutable anonymous paste host as code source, (b) require-passing eval of fetched bytes, (c) base64 + process-shadowing obfuscation of the C2, and (d) impersonation of a popular logger to lure installers is an unambiguous remote-code-execution backdoor.

Database specific

{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-003203",
            "versions": [
                "5.3.1"
            ],
            "sha256": "1c1ddd2dea35052822d2dc89f0f46ceae20c772c257e0c97f0024483e9ff31c0",
            "source": "amazon-inspector",
            "modified_time": "2026-05-19T16:57:09Z",
            "import_time": "2026-05-26T05:50:12.370992922Z"
        }
    ]
}

References

https://www.npmjs.com/package/bytecore/v/5.3.1

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com

Affected packages

npm / bytecore

Package

Name: bytecore; View open source insights on deps.dev
Purl: pkg:npm/bytecore

Affected ranges

Affected versions

5.*

5.3.1

Database specific

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]

indicators

{
    "evidence_files": [
        {
            "path": "lib/caller.js",
            "sha256": "5f2d8aec684e79cb983af79d29fddf7e7ecf1e36474baf1422e77c9b79caee23",
            "tlsh": "d6019c4a70fd641c016122fa261fa4326011f47b3946d9d4374cc3525fa96be2e93adf"
        },
        {
            "path": "README.md",
            "sha256": "366fb8e84a0157e29ec26bad87f74f0564804a80eb71b0fa22cc1eb08a88cbf4",
            "tlsh": "4a5175a787e87b6e4b6300b1a1c275b9ff1f931c7b69606dec9cd1291319997813110a"
        }
    ],
    "package_integrity": [
        {
            "filename": "bytecore-5.3.1.tgz",
            "hashes": {
                "sha512_sri": "sha512-Fz+0+98cioSWu+Opl6Kfd7YZ/Bm640khK7qi5szklKrGs6nspU+A7TA7HpesE5/Nd5CK2ibXvmvsnQs8aJV7Yg==",
                "sha1": "ea2bf63152f2c687850dfb8a66d404424193b068"
            }
        }
    ]
}

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/bytecore/MAL-2026-4503.json"