MAL-2026-5581

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/webpack-patch/MAL-2026-5581.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5581

Published

2026-06-11T05:06:30Z

Modified

2026-06-11T05:46:32.875892506Z

Summary

Malicious code in webpack-patch (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (d0f5ce3525e99528190ba5217a777184e302d46050fc23bef173de6fda240eba)

Package impersonates the webpack ecosystem but is unrelated to webpack. When the exported middleware is invoked, index.js spawns a detached node lib/caller.js child. caller.js fetches https://jsonkeeper.com/b/XRGF3 via axios and passes the response's .cookie field to new Function.constructor('require', s)(require), executing attacker-controlled JavaScript with full Node privileges and a retry loop. The C2 URL and HTTP header name/value are stored as base64 strings under sham process.env keys (DEV_API_KEY base64-decodes to https://jsonkeeper.com/b/XRGF3); a sibling const.js variant points at https://jsonkeeper.com/b/4NAKK, providing pivot URLs if the primary paste is removed. jsonkeeper.com is an anonymous mutable paste host — whoever controls the paste controls arbitrary code execution on every consumer that loads webpack-patch and exercises its API. The package.json description is generic boilerplate copied from an unrelated security policy, and the main is a fake pino-style middleware whose only meaningful effect is launching the dropper.

Database specific

{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-005546",
            "versions": [
                "1.1.7"
            ],
            "sha256": "d0f5ce3525e99528190ba5217a777184e302d46050fc23bef173de6fda240eba",
            "source": "amazon-inspector",
            "modified_time": "2026-06-11T05:06:30Z",
            "import_time": "2026-06-11T05:41:05.571785854Z"
        }
    ]
}

References

https://www.npmjs.com/package/webpack-patch/v/1.1.7

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / webpack-patch

Package

Name: webpack-patch; View open source insights on deps.dev
Purl: pkg:npm/webpack-patch

Affected ranges

Affected versions

1.*

1.1.7

Database specific

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]

indicators

{
    "evidence_files": [
        {
            "path": "lib/caller.js",
            "sha256": "d81e48769a830cd3384a4b8977ade12e5ab7583eb7cca84e7ab966d15871bd71",
            "tlsh": "f8017b8a30fa605c015510f64b1fa4327011e4273c49e5c5378c87524fea9ae6963aed"
        },
        {
            "path": "package.json",
            "sha256": "dad1894553c8a92913e245428b988952b49dc32a00bccb19413b34a728f451da",
            "tlsh": "4c019761deb89e2301ed25824c2e0743ba619c075828fc2d32db512c4f9e9bf05bf25d"
        }
    ],
    "package_integrity": [
        {
            "filename": "webpack-patch-1.1.7.tgz",
            "hashes": {
                "sha512_sri": "sha512-o9vr5PSWI24mjWCB61s3I1Gl7JZ20p7J2LDb6dGYzc1njpSYa0pMFKX6Nl1YG3Arcf+aIpSf09poJqu6KJzejw==",
                "sha1": "579b6db1639a0b92682b85346780946a7afaf31d"
            }
        }
    ]
}

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/webpack-patch/MAL-2026-5581.json"