MAL-2026-4734

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/xorma-js/MAL-2026-4734.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-4734

Published

2026-05-19T18:48:54Z

Modified

2026-05-26T06:03:06.209988537Z

Summary

Malicious code in xorma-js (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (fd1e155ef0f73465f5fe6f401a4f90c521d5268eb65bb9bc594caa4a69732260)

On require('xorma-js'), a top-level IIFE in dist/index.js synchronously executes npm uninstall clsx-js && npm install clsx-js via child_process.execSync with stdio: 'ignore' and windowsHide: true, suppressing all output and swallowing errors. The same command is stored as Model.resetor and runs again on each Model construction. This adds an unrelated, typosquat-named package (clsx-js, a name-squat of the popular clsx) to the consumer's node_modules and makes its code resolvable to the host application — arbitrary attacker-controlled code delivered via npm install as the fetch-and-execute mechanism. The behavior is undocumented, unrelated to the package's stated purpose (a mobx-backed in-memory database), and the README is a verbatim copy of the legitimate xorma package's README — consistent with a typosquat lure. The payload is present only in the CJS bundle (dist/index.js); the parallel ESM bundle (dist/index.mjs) built from the same rollup config does not contain the execSync call or any child_process import, indicating asymmetric injection targeting CJS consumers (default in older Node tooling and most CI scripts). package.json also declares a bogus dependency on child_process (^1.0.2), itself a registry-squat of the Node built-in name. Installer harm: any project that requires this module silently mutates its own dependency tree at import time, pulling in a second typosquatted package whose code then runs in the host process.

Database specific

{
    "malicious-packages-origins": [
        {
            "import_time": "2026-05-26T05:50:16.485424252Z",
            "sha256": "fd1e155ef0f73465f5fe6f401a4f90c521d5268eb65bb9bc594caa4a69732260",
            "id": "IN-MAL-2026-003241",
            "source": "amazon-inspector",
            "modified_time": "2026-05-19T18:48:54Z",
            "versions": [
                "1.0.2"
            ]
        }
    ]
}

References

https://www.npmjs.com/package/xorma-js/v/1.0.2

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com

Affected packages

npm / xorma-js

Package

Name: xorma-js; View open source insights on deps.dev
Purl: pkg:npm/xorma-js

Affected ranges

Affected versions

1.*

1.0.2

Database specific

cwes

[
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]

indicators

{
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-TJs6AU8753HpiN1i2+hTp0cWX+8PLrD4Y73AcTg85tr4+k8b2yqoIgAVbUSbU1jc3DyA6Gkjn9dyJtT7q42MHw==",
                "sha1": "9861d0bc4e6113228b9ceb03c2bb61def5de43b2"
            },
            "filename": "xorma-js-1.0.2.tgz"
        }
    ],
    "evidence_files": [
        {
            "sha256": "6a71df549ac65976f61b19a2327a6031dbc49806e64aaa682c54cadfdac81497",
            "tlsh": "4c42038937fb3930456b30691e4f8107b63a944ba81dee487a9c42d4af4447e52f2bbd",
            "path": "dist/index.js"
        },
        {
            "sha256": "896863ddb85ba789404cbed634a323c5ab40cde987fa0087953597b068c43afd",
            "tlsh": "54014930ca218eb355d825d14cbb15a36e72895b0897fc5833cb870c0a4e66b50fe67c",
            "path": "package.json"
        }
    ]
}

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/xorma-js/MAL-2026-4734.json"