MAL-2026-4734

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/xorma-js/MAL-2026-4734.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-4734
Aliases
  • GHSA-h7mc-23rp-vpj6
Published
2026-05-19T18:48:54Z
Modified
2026-06-09T15:31:28.496671137Z
Summary
Malicious code in xorma-js (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (fd1e155ef0f73465f5fe6f401a4f90c521d5268eb65bb9bc594caa4a69732260)

On require('xorma-js'), a top-level IIFE in dist/index.js synchronously executes npm uninstall clsx-js && npm install clsx-js via child_process.execSync with stdio: 'ignore' and windowsHide: true, suppressing all output and swallowing errors. The same command is stored as Model.resetor and runs again on each Model construction. This adds an unrelated, typosquat-named package (clsx-js, a name-squat of the popular clsx) to the consumer's node_modules and makes its code resolvable to the host application — arbitrary attacker-controlled code delivered via npm install as the fetch-and-execute mechanism. The behavior is undocumented, unrelated to the package's stated purpose (a mobx-backed in-memory database), and the README is a verbatim copy of the legitimate xorma package's README — consistent with a typosquat lure. The payload is present only in the CJS bundle (dist/index.js); the parallel ESM bundle (dist/index.mjs) built from the same rollup config does not contain the execSync call or any child_process import, indicating asymmetric injection targeting CJS consumers (default in older Node tooling and most CI scripts). package.json also declares a bogus dependency on child_process (^1.0.2), itself a registry-squat of the Node built-in name. Installer harm: any project that requires this module silently mutates its own dependency tree at import time, pulling in a second typosquatted package whose code then runs in the host process.

Source: ghsa-malware (27bc702dd8b768902a392bc3e35f06bb11281fa65150833afa606c3d0f386545)

Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Database specific
{
    "malicious-packages-origins": [
        {
            "versions": [
                "1.0.2"
            ],
            "sha256": "fd1e155ef0f73465f5fe6f401a4f90c521d5268eb65bb9bc594caa4a69732260",
            "modified_time": "2026-05-19T18:48:54Z",
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-003241",
            "import_time": "2026-05-26T05:50:16.485424252Z"
        },
        {
            "sha256": "27bc702dd8b768902a392bc3e35f06bb11281fa65150833afa606c3d0f386545",
            "ranges": [
                {
                    "type": "SEMVER",
                    "events": [
                        {
                            "introduced": "0"
                        }
                    ]
                }
            ],
            "source": "ghsa-malware",
            "modified_time": "2026-06-09T14:47:43Z",
            "import_time": "2026-06-09T15:22:39.84798256Z",
            "id": "GHSA-h7mc-23rp-vpj6"
        }
    ]
}
References
Credits

Affected packages

npm / xorma-js

Package

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*
1.0.2

Database specific

indicators
{
    "package_integrity": [
        {
            "filename": "xorma-js-1.0.2.tgz",
            "hashes": {
                "sha512_sri": "sha512-TJs6AU8753HpiN1i2+hTp0cWX+8PLrD4Y73AcTg85tr4+k8b2yqoIgAVbUSbU1jc3DyA6Gkjn9dyJtT7q42MHw==",
                "sha1": "9861d0bc4e6113228b9ceb03c2bb61def5de43b2"
            }
        }
    ],
    "evidence_files": [
        {
            "sha256": "6a71df549ac65976f61b19a2327a6031dbc49806e64aaa682c54cadfdac81497",
            "path": "dist/index.js",
            "tlsh": "4c42038937fb3930456b30691e4f8107b63a944ba81dee487a9c42d4af4447e52f2bbd"
        },
        {
            "sha256": "896863ddb85ba789404cbed634a323c5ab40cde987fa0087953597b068c43afd",
            "path": "package.json",
            "tlsh": "54014930ca218eb355d825d14cbb15a36e72895b0897fc5833cb870c0a4e66b50fe67c"
        }
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/xorma-js/MAL-2026-4734.json"
cwes
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]