MAL-2026-4610

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/midcorp/MAL-2026-4610.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-4610

Published

2026-05-22T15:22:57Z

Modified

2026-05-26T06:02:41.532964683Z

Summary

Malicious code in midcorp (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (bc6725ed066ed5aff9452bd82d278fd89c1548768124d8b89cb8e5a5e8c3b05a)

The package masquerades as a pino-compatible logger (package.json keywords fast/logger/stream/json, exports module.exports.pino = middleware, lib filenames proto.js, redaction.js, multistream.js, transport.js, worker.js mirror pino's layout), but its actual runtime behavior is a remote-code-execution dropper. When a consumer requires midcorp and invokes the exported middleware() from index.js, a detached/unref'd child process spawns lib/caller.js, which performs axios.get against https://jsonkeeper.com/b/XRGF3 (an anonymous, mutable paste-bin host) and passes the returned data.cookie field to new Function.constructor('require', s)(require) — handing attacker-controlled JavaScript full Node.js require capabilities. The C2 URL is obfuscated as a base64 string disguised as a fake process.env.DEV_API_KEY default in lib/caller.js / lib/const.js (aHR0cHM6Ly9qc29ua2VlcGVyLmNvbS9iL1hSR0Yz → https://jsonkeeper.com/b/XRGF3), with a backup paste ID (4NAKK). The description field is unrelated boilerplate about vulnerability management. Three independent block signals (remote-eval of paste-bin content, pino impersonation cover, base64-hidden C2) leave no benign interpretation.

Database specific

{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-004224",
            "versions": [
                "1.1.9"
            ],
            "sha256": "bc6725ed066ed5aff9452bd82d278fd89c1548768124d8b89cb8e5a5e8c3b05a",
            "source": "amazon-inspector",
            "modified_time": "2026-05-22T15:22:57Z",
            "import_time": "2026-05-26T05:52:11.273071919Z"
        }
    ]
}

References

https://www.npmjs.com/package/midcorp/v/1.1.9

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com

Affected packages

npm / midcorp

Package

Name: midcorp; View open source insights on deps.dev
Purl: pkg:npm/midcorp

Affected ranges

Affected versions

1.*

1.1.9

Database specific

indicators

{
    "evidence_files": [
        {
            "path": "lib/caller.js",
            "sha256": "d81e48769a830cd3384a4b8977ade12e5ab7583eb7cca84e7ab966d15871bd71",
            "tlsh": "f8017b8a30fa605c015510f64b1fa4327011e4273c49e5c5378c87524fea9ae6963aed"
        },
        {
            "path": "index.js",
            "sha256": "2956b023858d706a5e241cd28b845088e5f414c5f70bd5d8cb73cb427d081065",
            "tlsh": "5d213c81b9f11188065cd9c8b569e53a38e3c4377207b9b0e9ec87862bcf2080272ad7"
        }
    ],
    "package_integrity": [
        {
            "filename": "midcorp-1.1.9.tgz",
            "hashes": {
                "sha512_sri": "sha512-5QiR7iEkt0yzDMMMx591lVc9sNaSM7y27zFw8D7PAxz93d6YQGTg24uQ+nhDgo1TZRUrwpfZPX4UDz6IJm5EQw==",
                "sha1": "fe92fc7ad4d8e033fb58dc29762bcfa4eb8fd72d"
            }
        }
    ]
}

cwes

[
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/midcorp/MAL-2026-4610.json"