MAL-2026-4549
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/dot-utils-plus/MAL-2026-4549.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-4549
- Published
- 2026-05-21T02:37:52Z
- Modified
- 2026-05-26T06:02:29.699443854Z
- Summary
- Malicious code in dot-utils-plus (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (3091b9bb8cbf714d9391a59f7303a3748e183bbdf0fba2264b7496a2072e717f)
On every import, dist/index.js base64-decodes a hardcoded AES-256-CBC ciphertext, derives a key from environment variable VITEDOTUTILSAESSECRET, decrypts the result into JavaScript source, wraps it in a Blob/data URL, and dynamically
import()s it. The decrypted code is opaque to consumers and to static review; whoever holds the AES secret can ship arbitrary JavaScript to every downstream application that loads this library. This is a backdoor/remote-code-execution surface delivered through a library's normal import path. In addition, the same bundle monkey-patches the globalEventTarget.prototype.addEventListenerat import time. For everyclicklistener registered after the patch, on dates after 2026-06-10 and when running outside development, the wrapper has a 5% chance of busy-waiting 5000ms on the main thread — a date-gated logic bomb that silently degrades any web app loading the package. None of this behavior is documented in the README or the declared API, andpackage.jsoncarries placeholder author metadata ("Your Name") with a self-described "encrypted distribution build" as the only shipped artifact. - Database specific
{ "malicious-packages-origins": [ { "id": "IN-MAL-2026-004594", "versions": [ "0.1.9" ], "sha256": "3091b9bb8cbf714d9391a59f7303a3748e183bbdf0fba2264b7496a2072e717f", "source": "amazon-inspector", "modified_time": "2026-05-25T07:28:47Z", "import_time": "2026-05-26T05:52:54.546550366Z" }, { "id": "IN-MAL-2026-003703", "import_time": "2026-05-26T05:51:08.610127186Z", "sha256": "3b3ec7da6f9bf18e682d16157ad4f267a8eac8c4fffb0830c82cf81d967cb548", "source": "amazon-inspector", "modified_time": "2026-05-21T02:37:52Z", "versions": [ "0.1.5" ] }, { "id": "IN-MAL-2026-003744", "versions": [ "0.1.8" ], "sha256": "8e1d253016bde040bfaef95130c59591f1715fc56eaad47d0dd27ab27c410379", "source": "amazon-inspector", "modified_time": "2026-05-21T05:39:56Z", "import_time": "2026-05-26T05:51:13.964617422Z" } ] }- References
- Credits
-
-
- Amazon Inspector - FINDER
-
Affected packages
npm / dot-utils-plus
Package
- Name
- dot-utils-plus
- View open source insights on deps.dev
- Purl
- pkg:npm/dot-utils-plus
Database specific
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/dot-utils-plus/MAL-2026-4549.json"
cwes
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
}
]
indicators
{
"evidence_files": [
{
"path": "dist/index.js",
"sha256": "0775cb3a1c0816fdc1bb907679780e8572e9c74b98b7e7f24d47f82ad64e782c",
"tlsh": "c8d173443db224628266a0f7663fe0557570c663364cce94b7dca2a05fb543ccbe32da"
},
{
"path": "package.json",
"sha256": "e2c6498fd641993b7f1553de5cc25abac8b0765d8e4191aa0095d38d2675a52c",
"tlsh": "5f115933c9949d2302f8d6a1ad759706f6710b1f01604d0730fa012c4b752ab446efae"
}
],
"package_integrity": [
{
"filename": "dot-utils-plus-0.1.9.tgz",
"hashes": {
"sha512_sri": "sha512-P8KJaKt27lChzGcaCEnCVccogrOkj+ebONs35Xxh8DWMUq53EUociJXAijscdAZMrCznLxP9L5KX4PlYd+RJBQ==",
"sha1": "4e23555ce80fe605583d8e425c0184395e5a19ca"
}
}
]
}