MAL-2026-5753
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@gbrlxvi/ts-form-utils/MAL-2026-5753.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-5753
- Published
- 2026-06-13T21:38:53Z
- Modified
- 2026-06-13T22:31:44.926302599Z
- Summary
- Malicious code in @gbrlxvi/ts-form-utils (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (20e77262ebb59497687fabfba394959da9ce6afbaf436aa5fcf654b2c8a44a32)
Package advertises trivial form-validation helpers (notEmpty/isEmail/isPhone/maxLen/minLen) but on require/import of the main module performs an environment-gated remote-style code execution. index.js checks for AI-agent / sandbox host signals (hostname containing 'devbox' or 'ubuntu-fc-uvm', existence of /app/.git, presence of the JULESSESSIONID environment variable used by Google Jules) and, when matched, reads lib/.perf.dat (an 11KB hidden AES-256-CBC encrypted blob), decrypts it with a hardcoded key/IV split across four hex fragments, and executes the cleartext via
new Function(_r)(). Sensitive Node API names are concatenated to evade static analysis (require('f'+'s'),require('crypt'+'o'),createDecipheriv('aes-256-cb'+'c',...)) and the entire block is wrapped intry{...}catch(_){}so failures are silent. A misleading comment (// Load optional performance telemetry module) directly above the decrypt-and-exec block provides cover. The combination of hidden encrypted payload, hardcoded key, sandbox-host gating, string-split obfuscation, and silent execution at module load is a deliberate dropper designed to fire inside AI-agent / CI sandboxes while remaining quiet on developer laptops. Any installer that requires this package on a matching host runs attacker-controlled code with the full privileges of the host process. - Database specific
{ "malicious-packages-origins": [ { "id": "IN-MAL-2026-006433", "versions": [ "1.9.0" ], "sha256": "020672b183cc7624f9352dcd99d6584755d8aba7c2c3b8ba2c51488db921ac69", "source": "amazon-inspector", "modified_time": "2026-06-13T21:39:03Z", "import_time": "2026-06-13T22:27:36.541091647Z" }, { "id": "IN-MAL-2026-006436", "versions": [ "1.0.1" ], "sha256": "1e64a8a601d0ea3395020f8e7e6a6e05ca0c0bbc97690ad1f10ecddfea2a0881", "source": "amazon-inspector", "modified_time": "2026-06-13T21:39:05Z", "import_time": "2026-06-13T22:27:36.694615588Z" }, { "id": "IN-MAL-2026-006430", "versions": [ "1.4.0" ], "sha256": "612a7d24d129dc2a7ef33c1c079e054f495c64e7b45a48d449548b53e86b14f3", "source": "amazon-inspector", "modified_time": "2026-06-13T21:39:01Z", "import_time": "2026-06-13T22:27:36.286878384Z" }, { "id": "IN-MAL-2026-006434", "import_time": "2026-06-13T22:27:36.581427214Z", "sha256": "797e08685dd81cf8f98e89032aa97cb7c73383b41c9fa8054f8c5a143366a00a", "source": "amazon-inspector", "modified_time": "2026-06-13T21:39:03Z", "versions": [ "1.0.1" ] }, { "id": "IN-MAL-2026-006438", "versions": [ "1.3.0" ], "sha256": "99f7d879480f11f118972f459c1241dc3ba43af5f4804b2908234db38765e337", "source": "amazon-inspector", "modified_time": "2026-06-13T21:39:06Z", "import_time": "2026-06-13T22:27:36.788252129Z" }, { "id": "IN-MAL-2026-006419", "import_time": "2026-06-13T22:27:35.731847766Z", "sha256": "feae9607963762c439f72fa10db6739490b3547d2ad787884c33d1a1cb4f4278", "source": "amazon-inspector", "modified_time": "2026-06-13T21:38:55Z", "versions": [ "1.6.0" ] }, { "id": "IN-MAL-2026-006420", "versions": [ "1.2.1" ], "sha256": "07e94a7b3fb5fa835a6456daa2e996705fc78efcb9f1949433c7dd84a679c96a", "source": "amazon-inspector", "modified_time": "2026-06-13T21:38:55Z", "import_time": "2026-06-13T22:27:35.792606507Z" }, { "id": "IN-MAL-2026-006418", "import_time": "2026-06-13T22:27:35.648749775Z", "sha256": "3aca9046854cfa926ed61680c83ba720f0735b51e28d16db3bfe476d4015fd1d", "source": "amazon-inspector", "modified_time": "2026-06-13T21:38:54Z", "versions": [ "1.0.0" ] }, { "id": "IN-MAL-2026-006439", "import_time": "2026-06-13T22:27:36.868206774Z", "sha256": "40c6b2e7595f2f399f83210113aad2fe1cf27abad0b19d91f278b596f1141b12", "source": "amazon-inspector", "modified_time": "2026-06-13T21:39:07Z", "versions": [ "1.3.0" ] }, { "id": "IN-MAL-2026-006423", "versions": [ "1.1.0" ], "sha256": "6e9ba9e4eaae207ea3e9962b8623ce38b6fdf7e39f12c4562311ca3cc9c8dc72", "source": "amazon-inspector", "modified_time": "2026-06-13T21:38:57Z", "import_time": "2026-06-13T22:27:35.901375284Z" }, { "id": "IN-MAL-2026-006432", "versions": [ "1.4.0" ], "sha256": "6f1a493f8ae8bef2cdd8afbb113b8e0f0c2bd86f4ef0e7ac7e34bddd23b65f29", "source": "amazon-inspector", "modified_time": "2026-06-13T21:39:02Z", "import_time": "2026-06-13T22:27:36.417595956Z" }, { "id": "IN-MAL-2026-006415", "import_time": "2026-06-13T22:27:35.437823952Z", "sha256": "71d9cedec03f81b8bd1478618d964a8aaa3cd4060c2189de90c64633653f0abf", "source": "amazon-inspector", "modified_time": "2026-06-13T21:38:53Z", "versions": [ "1.0.0" ] }, { "id": "IN-MAL-2026-006422", "import_time": "2026-06-13T22:27:35.866968424Z", "sha256": "76dbf856004a1077cd98f2e249671d488b49858447c08f83bf8463af791f471c", "source": "amazon-inspector", "modified_time": "2026-06-13T21:38:56Z", "versions": [ "2.1.0" ] }, { "id": "IN-MAL-2026-006429", "versions": [ "1.0.2" ], "sha256": "7e846712a26aa26f3405f3073038bc0b0083a339a19cd9e1d006094e475768a4", "source": "amazon-inspector", "modified_time": "2026-06-13T21:39:00Z", "import_time": "2026-06-13T22:27:36.225666815Z" }, { "id": "IN-MAL-2026-006435", "versions": [ "1.5.0" ], "sha256": "20e77262ebb59497687fabfba394959da9ce6afbaf436aa5fcf654b2c8a44a32", "source": "amazon-inspector", "modified_time": "2026-06-13T21:39:04Z", "import_time": "2026-06-13T22:27:36.652820326Z" }, { "id": "IN-MAL-2026-006425", "versions": [ "1.1.0" ], "sha256": "40ea39992b18e1c80361e9288e87dad2250cb2c92dfa042116d87b9228c9ce0b", "source": "amazon-inspector", "modified_time": "2026-06-13T21:38:58Z", "import_time": "2026-06-13T22:27:36.034703248Z" }, { "id": "IN-MAL-2026-006440", "versions": [ "1.7.0" ], "sha256": "68b77f82c4db9fdd54fb212d46c02aee277e47036a925849a25a0b7edb9658bb", "source": "amazon-inspector", "modified_time": "2026-06-13T21:39:07Z", "import_time": "2026-06-13T22:27:36.952297662Z" }, { "id": "IN-MAL-2026-006424", "versions": [ "2.1.0" ], "sha256": "8243efd91b1e880868a29bdf8ce365aaf44eb4d5d8d67551105e0418862c3fa1", "source": "amazon-inspector", "modified_time": "2026-06-13T21:38:57Z", "import_time": "2026-06-13T22:27:35.987715479Z" }, { "id": "IN-MAL-2026-006416", "import_time": "2026-06-13T22:27:35.523004069Z", "sha256": "ad9403a3859b206bc3ff5a70afc9649e6e026130c79f241208b1c1101b85cfc3", "source": "amazon-inspector", "modified_time": "2026-06-13T21:38:53Z", "versions": [ "1.6.0" ] }, { "id": "IN-MAL-2026-006427", "versions": [ "2.0.0" ], "sha256": "c62a5b59d2296c1241ce25b759510f46dc9624e8768134bed2d35841a8b624bc", "source": "amazon-inspector", "modified_time": "2026-06-13T21:38:59Z", "import_time": "2026-06-13T22:27:36.111155327Z" }, { "id": "IN-MAL-2026-006431", "versions": [ "1.9.0" ], "sha256": "d7f8cb27d87fdbfaa52e6a62a0e0c315c3b80d2a582dbe383d9c8b1b66d774ba", "source": "amazon-inspector", "modified_time": "2026-06-13T21:39:01Z", "import_time": "2026-06-13T22:27:36.338822531Z" }, { "id": "IN-MAL-2026-006421", "import_time": "2026-06-13T22:27:35.817892842Z", "sha256": "f4e6e1f5854ed9e6b2556c791180b5c6818a54d642cace327b29925cae3efe10", "source": "amazon-inspector", "modified_time": "2026-06-13T21:38:56Z", "versions": [ "1.2.1" ] }, { "id": "IN-MAL-2026-006428", "versions": [ "1.0.2" ], "sha256": "19fed3d40ad4eeace127713807d02dc10231019dc1c01d1d2bab2bd1ca059a29", "source": "amazon-inspector", "modified_time": "2026-06-13T21:39:00Z", "import_time": "2026-06-13T22:27:36.147314299Z" }, { "id": "IN-MAL-2026-006441", "import_time": "2026-06-13T22:27:36.988966505Z", "sha256": "382d1a2d470f2c29c585259a7043c3bfaf61a8a4d5e8b6d4077d2ad9d1195401", "source": "amazon-inspector", "modified_time": "2026-06-13T21:39:08Z", "versions": [ "1.7.0" ] }, { "id": "IN-MAL-2026-006426", "import_time": "2026-06-13T22:27:36.068690377Z", "sha256": "da4236ad5bf725cfd50b5da20d0a6a499dbe78fec666f63fd2444e2669d57d40", "source": "amazon-inspector", "modified_time": "2026-06-13T21:38:58Z", "versions": [ "2.0.0" ] }, { "id": "IN-MAL-2026-006437", "import_time": "2026-06-13T22:27:36.741688666Z", "sha256": "ea64905deb85e1c575b0cc0aa13b908dd0befe94dbc781444826986123f20174", "source": "amazon-inspector", "modified_time": "2026-06-13T21:39:05Z", "versions": [ "1.5.0" ] }, { "id": "IN-MAL-2026-006417", "import_time": "2026-06-13T22:27:35.582704355Z", "sha256": "ed706d68c22a68cd54df5d0b9c17de5317c1ea8e97dc5e1655768c4fa99bbcea", "source": "amazon-inspector", "modified_time": "2026-06-13T21:38:54Z", "versions": [ "1.8.0" ] }, { "id": "IN-MAL-2026-006442", "versions": [ "1.8.0" ], "sha256": "f9bc61771148f9c7f8c14c8faa5bffa2f4b460cc4d1f4b61269c5c1f28c3a0b3", "source": "amazon-inspector", "modified_time": "2026-06-13T21:39:09Z", "import_time": "2026-06-13T22:27:37.036153296Z" } ] }- References
-
- https://www.npmjs.com/package/@gbrlxvi/ts-form-utils/v/1.4.0
- https://www.npmjs.com/package/@gbrlxvi/ts-form-utils/v/1.0.1
- https://www.npmjs.com/package/@gbrlxvi/ts-form-utils/v/1.3.0
- https://www.npmjs.com/package/@gbrlxvi/ts-form-utils/v/1.2.1
- https://www.npmjs.com/package/@gbrlxvi/ts-form-utils/v/1.1.0
- https://www.npmjs.com/package/@gbrlxvi/ts-form-utils/v/1.0.0
- https://www.npmjs.com/package/@gbrlxvi/ts-form-utils/v/2.1.0
- https://www.npmjs.com/package/@gbrlxvi/ts-form-utils/v/1.5.0
- https://www.npmjs.com/package/@gbrlxvi/ts-form-utils/v/1.7.0
- https://www.npmjs.com/package/@gbrlxvi/ts-form-utils/v/1.6.0
- https://www.npmjs.com/package/@gbrlxvi/ts-form-utils/v/1.9.0
- https://www.npmjs.com/package/@gbrlxvi/ts-form-utils/v/1.0.2
- https://www.npmjs.com/package/@gbrlxvi/ts-form-utils/v/2.0.0
- https://www.npmjs.com/package/@gbrlxvi/ts-form-utils/v/1.8.0
- Credits
-
-
- Amazon Inspector - FINDER
-
Affected packages
npm / @gbrlxvi/ts-form-utils
Package
- Name
- @gbrlxvi/ts-form-utils
- View open source insights on deps.dev
- Purl
- pkg:npm/%40gbrlxvi%2Fts-form-utils
Affected versions
1.*
1.0.0
1.0.1
1.0.2
1.1.0
1.2.1
1.3.0
1.4.0
1.5.0
1.6.0
1.7.0
1.8.0
1.9.0
2.*
2.0.0
2.1.0
Database specific
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@gbrlxvi/ts-form-utils/MAL-2026-5753.json"
cwes
[
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
},
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]
indicators
{
"evidence_files": [
{
"path": "index.js",
"sha256": "37ec77f103e5d14e9c81e1a13f25b7ad7503e641d13608576c16e7de0ca77f47",
"tlsh": "084130846cfa61b039335092502bc90376f6aa07105ced59b2e9d7922fe4f90866f6fc"
}
],
"package_integrity": [
{
"filename": "ts-form-utils-1.4.0.tgz",
"hashes": {
"sha512_sri": "sha512-sr3J9MDO4Yf5hPKjDDmaCOMR98TFX43uz/x6EfZOtrjoJD8m1Hd6gbXuP7fEWJrSrHpbejJkgSn0J7Oppb5fLQ==",
"sha1": "f912c681b4b173e6da768937548f8a2b6e2ec4f3"
}
}
],
"ips": [
"104.16.2.34",
"10.1.0.2"
],
"domains": [
"aaronstack.com"
]
}