MAL-2026-4781

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/unique-id-64/MAL-2026-4781.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-4781

Published

2026-05-26T06:21:57Z

Modified

2026-05-26T06:31:42.384604819Z

Summary

Malicious code in unique-id-64 (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (8ab3b19e4bd1602de93ca092a5909f8b69927c01d5a690d3484116024dfc46e2)

Package impersonates the well-known sindresorhus/unique-string utility: package.json copies the author block (name 'Sindre Sorhus', email sindresorhus@hotmail.com, homepage sindresorhus.com), repository field 'sindresorhus/unique-string', and README verbatim, despite not being published by that author. The default export, when invoked as uniqueString(64), AES-256-CBC-decrypts a hardcoded ciphertext (key derived from sha256('256-key')) and hands the plaintext to globalThis.eval, with 'eval' reconstructed obfuscation-style by joining the first letters of ['error','vertex','alphabetic','length']. Before reaching the eval branch, the code consults node-env-detector and short-circuits to a warning log when env.isCI || env.isNpmBot || env.isContainer || env.isVirtualMachineLikely is true — a deliberate sandbox/CI evasion gate so the hidden payload only fires on real developer or production hosts. The combination of identity-spoofed metadata, encrypted eval'd payload, and analysis-evasion gating is an unambiguous supply-chain attack: the installer cannot see what code runs, and the package's stated purpose (generate a unique string) does not require eval, AES decryption, or CI detection.

Database specific

{
    "malicious-packages-origins": [
        {
            "modified_time": "2026-05-26T06:21:57Z",
            "versions": [
                "1.0.0"
            ],
            "sha256": "8ab3b19e4bd1602de93ca092a5909f8b69927c01d5a690d3484116024dfc46e2",
            "id": "IN-MAL-2026-004849",
            "source": "amazon-inspector",
            "import_time": "2026-05-26T06:26:13.943115207Z"
        }
    ]
}

References

https://www.npmjs.com/package/unique-id-64/v/1.0.0

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com

Affected packages

npm / unique-id-64

Package

Name: unique-id-64; View open source insights on deps.dev
Purl: pkg:npm/unique-id-64

Affected ranges

Affected versions

1.*

1.0.0

Database specific

indicators

{
    "evidence_files": [
        {
            "sha256": "609c7b2224f44364324f50eab6199086c0d23e134f50bdae1761ae1afd9728a0",
            "tlsh": "9351c99a38767504178250fbc6bff80e023aba437844a79077cd66c68fe873895b2079",
            "path": "index.js"
        },
        {
            "sha256": "feb25f23c87f0ad3fa2440095940f29b5c6d67cce329cc7d6c0f96cb14abcbba",
            "tlsh": "99019c17962a75d38be8a5c86cec85ca543c6006a8c4ddfd8cc23614c2edb9022ba656",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-Tz+51tl1hDtaS4PdxeIRarN7kM4Z9W42rHpJdqmcP4Fy1yqJKe78PcKCr+XYlh8rO/FUqJVkBGxsuI4Aakrikw==",
                "sha1": "273089fe433e5682e1751922068a4fc5c024a1b5"
            },
            "filename": "unique-id-64-1.0.0.tgz"
        }
    ]
}

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/unique-id-64/MAL-2026-4781.json"