MAL-2026-5988

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/params-valid-js/MAL-2026-5988.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5988

Published

2026-06-17T04:22:54Z

Modified

2026-06-17T06:02:04.555644735Z

Summary

Malicious code in params-valid-js (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (4f0f4f5cc684f7bf7b40af2f6856c7d5865f57c7492da68af6c1c194741a4629)

params-valid-js impersonates the well-known request package (copies Mikeal Rogers' Apache-2.0 header, points bugs URL to github.com/request/request/issues, replicates request's API surface) while shipping a remote-code dropper. index.js exports a function shaped like Express middleware ((req,res,next)=>next()) as module.exports, default, and reqValidator. When invoked, the middleware calls swapJson(...) which spawns node lib/callers.js with { detached: true, stdio: 'ignore' } and child.unref() — concealing all output. lib/callers.js then performs axios.get('https://www.jsonkeeper.com/b/5IZTJ'), extracts data.Cookie, and executes the response body with new Function.constructor('require', s); handler(require);, passing the real require into the fetched code. jsonkeeper.com is an anonymous, mutable public paste host, so the attacker can swap in arbitrary Node-privileged payloads at any time. Any application that wires this lookalike into its HTTP stack triggers arbitrary remote code execution on the host.

Database specific

{
    "malicious-packages-origins": [
        {
            "sha256": "4f0f4f5cc684f7bf7b40af2f6856c7d5865f57c7492da68af6c1c194741a4629",
            "source": "amazon-inspector",
            "modified_time": "2026-06-17T04:22:54Z",
            "id": "IN-MAL-2026-006882",
            "versions": [
                "1.0.0"
            ],
            "import_time": "2026-06-17T05:45:42.075763795Z"
        }
    ]
}

References

https://www.npmjs.com/package/params-valid-js/v/1.0.0

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / params-valid-js

Package

Name: params-valid-js; View open source insights on deps.dev
Purl: pkg:npm/params-valid-js

Affected ranges

Affected versions

1.*

1.0.0

Database specific

cwes

[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/params-valid-js/MAL-2026-5988.json"

indicators

{
    "evidence_files": [
        {
            "sha256": "958ffe8101528203679b0ccfea7dae00f3069f21f87a15d45740bfc183b7a48e",
            "tlsh": "8e01978f70ac545c09b013e6bb2be436f622b56b390281d0375c86421f769a96653eee",
            "path": "lib/callers.js"
        },
        {
            "sha256": "356f24fff7af39ef7026879a2c571b3c81ee0ecf880078e24b25be69fe5642d6",
            "tlsh": "87a1648526e373519aebb2d1e81f4229b675d223320e1a7178c587d81f0cc69d3b3dd5",
            "path": "index.js"
        },
        {
            "sha256": "89c833a7fbb54df1f60658a049f6c22b590048263c2ed1a9eedccfe64bc123ac",
            "tlsh": "62415620cc6a8c931dc929e5687d5603b1a0a41b8e41bc1d778a638c4f5e46f32b8f2d",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-UGgRKNlZk5LB6jl1fVWCjEbEEzudaH300FB8EMzkixbDlrWB1x2paVFQySa8GmEzKGnl713L51IOqE4JedqVcA==",
                "sha1": "2571d0dfb830c5c57026818751f72ec713a94676"
            },
            "filename": "params-valid-js-1.0.0.tgz"
        }
    ]
}