MAL-2026-4779

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ether-bn.js/MAL-2026-4779.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-4779
Published
2026-05-26T06:25:09Z
Modified
2026-05-26T08:01:40.955191090Z
Summary
Malicious code in ether-bn.js (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (4cc5567869e3d616af151887f680ef13bf23f8a19fe5978343254b921c1c7c73)

Package name 'ether-bn.js' resembles the widely-used 'bn.js' big-number library, and the README directs users to install yet another name ('buffernumber.js'). The repository and homepage fields point at the legitimate indutny/bn.js project while the author field is unrelated. The shipped lib/bn.js is a near-verbatim copy of upstream bn.js with two non-upstream additions: a top-level const uniqueString = require('unique-id-64'); (lib/bn.js:38) and a check if (BN.isBN(number) && uniqueString(64)) { return number; } inside the BN constructor (lib/bn.js:20). package.json adds unique-id-64: ^1.0.0 to dependencies. The injected require is unconditionally evaluated when the module is loaded, and uniqueString(64) is invoked on every BN clone path, so any consumer that does new BN(existingBn) executes the third-party unique-id-64 package's code. The injected dependency is unpinned (^1.0.0) and is not a legitimate transitive of bn.js — it is the payload-delivery vehicle for whatever the third-party package contains now or in the future. Installers expecting bn.js semantics silently take a runtime dependency on attacker-selected code reached through a confusingly-named lookalike package.

Database specific 
{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-004851",
            "import_time": "2026-05-26T06:26:14.140621251Z",
            "sha256": "4cc5567869e3d616af151887f680ef13bf23f8a19fe5978343254b921c1c7c73",
            "source": "amazon-inspector",
            "modified_time": "2026-05-26T06:25:09Z",
            "versions": [
                "1.4.0"
            ]
        },
        {
            "id": "IN-MAL-2026-004856",
            "import_time": "2026-05-26T07:48:28.324713291Z",
            "sha256": "c00780a3026cf6886eb1c16dbfe7a20d9dea3ac9e12bd2de1a3856249df8d878",
            "source": "amazon-inspector",
            "modified_time": "2026-05-26T07:09:54Z",
            "versions": [
                "1.4.1"
            ]
        }
    ]
}
References
Credits

Affected packages

npm / ether-bn.js

Package

Name
ether-bn.js
View open source insights on deps.dev
Purl
pkg:npm/ether-bn.js

Affected ranges

Affected versions

1.*
1.4.0
1.4.1

Database specific

cwes 
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
indicators 
{
    "evidence_files": [
        {
            "path": "lib/bn.js",
            "sha256": "d6b7f7f510a0574745196d24515cc9f121560cc5755aa1afe1f9283351ba8d8c",
            "tlsh": "e8938844abb720599a4b753c4faf60886a74e41b5847dd08bd8ce3e06f5502482fdffa"
        },
        {
            "path": "package.json",
            "sha256": "cbbc438fa05f5350c7e7b503b7975447865e03c72373cfb9e272d00d8366486f",
            "tlsh": "41114c58cc694ca32bd566e5489d600bb671885b4898fc0cb3e7521c4b5f16f11feabc"
        }
    ],
    "package_integrity": [
        {
            "filename": "ether-bn.js-1.4.0.tgz",
            "hashes": {
                "sha512_sri": "sha512-s2MbqGoQUt4wUpUMfI/H6wWPXKVVld4nXaqOHjyGvdXkd1AIdNQv1fv7nQAYNzrsoBuTc1SPMIG1QqzURKBmhw==",
                "sha1": "c98f6b5e1991a17a64e421b2cc3e6ab5deeef1d7"
            }
        }
    ]
}
source 
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ether-bn.js/MAL-2026-4779.json"