MAL-2026-5791
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/mddriver/MAL-2026-5791.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-5791
- Published
- 2026-06-15T16:31:14Z
- Modified
- 2026-06-15T17:31:48.584573005Z
- Summary
- Malicious code in mddriver (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (5a5b264d05ffaf76e8be2d7a46cb2277211a045fa15e8c510ab60cdd5c5bae56)
On require('mddriver'), an IIFE in index.js invokes loadTokenData(), which fetches https://www.jsonkeeper.com/b/C4H0M (stored base64-encoded as "aHR0cHM6Ly93d3cuanNvbmtlZXBlci5jb20vYi9DNEgwTQ==" and decoded with atob), parses the JSON response, and passes the.content field to a Function-constructor evaluator (
new (Function.contructor)(...)) for execution. The paste-style host is anonymous and the fetched content is fully mutable — any consumer that imports this package executes whatever JavaScript the operator of that paste serves at that moment, with no signature, hash, or pinning. The package metadata advertises 'MongoDB connection driver' but the shipped index.js is a verbatim copy of Node's built-inpathmodule with the dropper appended; the name 'mddriver' and the misleading description are consistent with a typosquat targeting developers searching for mongodb / mongoose drivers. - Database specific
{ "malicious-packages-origins": [ { "sha256": "0ee35202550715cbac37d68d73bc21d03bb77ce6bc0344d35cc888ec9d7386b6", "source": "amazon-inspector", "modified_time": "2026-06-15T16:31:16Z", "versions": [ "1.8.5" ], "id": "IN-MAL-2026-006518", "import_time": "2026-06-15T17:22:47.30783131Z" }, { "sha256": "23788efca2b8bfdbba9ddfb832302d51900d1e8b76cc086d8de20a4d10788830", "source": "amazon-inspector", "modified_time": "2026-06-15T16:31:19Z", "versions": [ "1.8.4" ], "id": "IN-MAL-2026-006523", "import_time": "2026-06-15T17:22:47.872271378Z" }, { "sha256": "2fba277e47ff86cbf1157c8ea6f1e99c0f929e75676f080b335174a90b7fe299", "source": "amazon-inspector", "modified_time": "2026-06-15T16:31:16Z", "versions": [ "1.8.4" ], "id": "IN-MAL-2026-006519", "import_time": "2026-06-15T17:22:47.389601966Z" }, { "sha256": "5a5b264d05ffaf76e8be2d7a46cb2277211a045fa15e8c510ab60cdd5c5bae56", "source": "amazon-inspector", "modified_time": "2026-06-15T16:31:17Z", "id": "IN-MAL-2026-006520", "versions": [ "1.8.2" ], "import_time": "2026-06-15T17:22:47.586749739Z" }, { "sha256": "60df6c04caff9968ec7a4c511213425653f6c3ce4a4bb49f41c8e22360de7eb3", "source": "amazon-inspector", "modified_time": "2026-06-15T16:31:18Z", "versions": [ "1.8.6" ], "id": "IN-MAL-2026-006522", "import_time": "2026-06-15T17:22:47.768385866Z" }, { "sha256": "c647b8cad06488430fd2c7f37b2ace1d9ddfef7cad74bd8fa0b07905c7eb480f", "source": "amazon-inspector", "modified_time": "2026-06-15T16:31:14Z", "id": "IN-MAL-2026-006517", "versions": [ "1.8.5" ], "import_time": "2026-06-15T17:22:47.173753461Z" }, { "sha256": "d65de0c9e338c91580589a2b878860289cf0d49760d4770d4eca8f3df78b29b5", "source": "amazon-inspector", "modified_time": "2026-06-15T16:31:21Z", "versions": [ "1.8.3" ], "id": "IN-MAL-2026-006526", "import_time": "2026-06-15T17:22:48.154142298Z" }, { "sha256": "5c7ab6a385ebd75263a4c570d3b7214acc1d6e61a9c8fb4788e9e08fabd766f1", "source": "amazon-inspector", "modified_time": "2026-06-15T16:31:20Z", "versions": [ "1.8.2" ], "id": "IN-MAL-2026-006524", "import_time": "2026-06-15T17:22:47.937956254Z" }, { "sha256": "8f806e408e1e61e839b6c693dd719dd5f5f3e7b26f5f5a5149d8085e7997df06", "source": "amazon-inspector", "modified_time": "2026-06-15T16:31:17Z", "versions": [ "1.8.6" ], "id": "IN-MAL-2026-006521", "import_time": "2026-06-15T17:22:47.662802109Z" }, { "sha256": "cc2cfb53823d22e1d06e31d506013143409583d37f05815c099555ddf2790f89", "source": "amazon-inspector", "modified_time": "2026-06-15T16:31:20Z", "versions": [ "1.8.3" ], "id": "IN-MAL-2026-006525", "import_time": "2026-06-15T17:22:47.990481058Z" } ] }- References
- Credits
-
-
- Amazon Inspector - FINDER
-
Affected packages
npm / mddriver
Package
- Name
- mddriver
- View open source insights on deps.dev
- Purl
- pkg:npm/mddriver
Database specific
cwes
[
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
},
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
},
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
},
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
},
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
}
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/mddriver/MAL-2026-5791.json"
indicators
{
"evidence_files": [
{
"sha256": "77f0eaa32aa208e3306736483c2a065226cb68b98d3c02f8e6cb98aecd60a709",
"tlsh": "ac729444594661559a3777b0df0a340ef77584f34215ab00f89cea502f72e78a2feee8",
"path": "index.js"
},
{
"sha256": "50d0ae37607d87c41111ac49f3ed4f04146772471769bcc6192cda5b2a6a9590",
"tlsh": "dbe0cd209f61583302e61165186b494777f0ce1f0504bc0423cb5a1cca5e6bf79fb75d",
"path": "package.json"
}
],
"domains": [
"www.jsonkeeper.com"
],
"package_integrity": [
{
"hashes": {
"sha512_sri": "sha512-Eeri9BczTTvKePB6BQ31SSLAPa7iaV1wdaHmvumKr4ANDPbA8GPjtH8AHhAQrVpDFZl64qOpwybeAWqI9hSy5A==",
"sha1": "4929ea0abfe7034bcce0e812e6d6c5ecd772ce53"
},
"filename": "mddriver-1.8.4.tgz"
}
],
"ips": [
"10.1.0.2",
"104.16.3.34",
"64.227.108.217"
]
}