MAL-2026-4781

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/unique-id-64/MAL-2026-4781.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-4781
Aliases
  • GHSA-wp6h-8x7v-865g
Published
2026-05-26T06:21:57Z
Modified
2026-07-06T20:01:57.730639457Z
Summary
Malicious code in unique-id-64 (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (8ab3b19e4bd1602de93ca092a5909f8b69927c01d5a690d3484116024dfc46e2)

Package impersonates the well-known sindresorhus/unique-string utility: package.json copies the author block (name 'Sindre Sorhus', email sindresorhus@hotmail.com, homepage sindresorhus.com), repository field 'sindresorhus/unique-string', and README verbatim, despite not being published by that author. The default export, when invoked as uniqueString(64), AES-256-CBC-decrypts a hardcoded ciphertext (key derived from sha256('256-key')) and hands the plaintext to globalThis.eval, with 'eval' reconstructed obfuscation-style by joining the first letters of ['error','vertex','alphabetic','length']. Before reaching the eval branch, the code consults node-env-detector and short-circuits to a warning log when env.isCI || env.isNpmBot || env.isContainer || env.isVirtualMachineLikely is true — a deliberate sandbox/CI evasion gate so the hidden payload only fires on real developer or production hosts. The combination of identity-spoofed metadata, encrypted eval'd payload, and analysis-evasion gating is an unambiguous supply-chain attack: the installer cannot see what code runs, and the package's stated purpose (generate a unique string) does not require eval, AES decryption, or CI detection.

Source: ghsa-malware (e07ae89bf61863621d92c76397d95dce54989d3274ba308f4a7773a8d419a353)

Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Database specific
{
    "malicious-packages-origins": [
        {
            "modified_time": "2026-05-26T06:21:57Z",
            "versions": [
                "1.0.0"
            ],
            "sha256": "8ab3b19e4bd1602de93ca092a5909f8b69927c01d5a690d3484116024dfc46e2",
            "import_time": "2026-05-26T06:26:13.943115207Z",
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-004849"
        },
        {
            "modified_time": "2026-07-06T19:00:33Z",
            "versions": [
                "1.0.0"
            ],
            "sha256": "e07ae89bf61863621d92c76397d95dce54989d3274ba308f4a7773a8d419a353",
            "import_time": "2026-07-06T19:53:47.991153063Z",
            "source": "ghsa-malware",
            "id": "GHSA-wp6h-8x7v-865g"
        }
    ]
}
References
Credits

Affected packages

npm / unique-id-64

Package

Affected ranges

Affected versions

1.*
1.0.0

Database specific

indicators
{
    "evidence_files": [
        {
            "tlsh": "9351c99a38767504178250fbc6bff80e023aba437844a79077cd66c68fe873895b2079",
            "sha256": "609c7b2224f44364324f50eab6199086c0d23e134f50bdae1761ae1afd9728a0",
            "path": "index.js"
        },
        {
            "tlsh": "99019c17962a75d38be8a5c86cec85ca543c6006a8c4ddfd8cc23614c2edb9022ba656",
            "sha256": "feb25f23c87f0ad3fa2440095940f29b5c6d67cce329cc7d6c0f96cb14abcbba",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha1": "273089fe433e5682e1751922068a4fc5c024a1b5",
                "sha512_sri": "sha512-Tz+51tl1hDtaS4PdxeIRarN7kM4Z9W42rHpJdqmcP4Fy1yqJKe78PcKCr+XYlh8rO/FUqJVkBGxsuI4Aakrikw=="
            },
            "filename": "unique-id-64-1.0.0.tgz"
        }
    ]
}
cwes
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/unique-id-64/MAL-2026-4781.json"