MAL-2026-5991

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/req-parmas-valid/MAL-2026-5991.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5991

Published

2026-06-17T04:20:22Z

Modified

2026-06-17T06:02:05.062725576Z

Summary

Malicious code in req-parmas-valid (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (063b7e2667c434784d0b5d2ce333ea700fbc17571da3f5f4fc7d0f03ac406bd0)

Package name req-parmas-valid impersonates the well-known request HTTP client (description copied verbatim as 'Simplified HTTP request client.', bugs.url points at github.com/request/request/issues, README and most source copied from upstream). Bolted onto the copied source is a malicious middleware export (also exposed as reqValidator and the package's default export) which spawns a detached node lib/callers.js child process. lib/callers.js performs an HTTPS GET to https://www.jsonkeeper.com/b/DDC6J (an anonymous, mutable paste host), reads the Cookie field of the JSON response, and evaluates it via new Function.constructor("require", s)(require) — handing the fetched bytes full Node require capability with no integrity check, no pinning, and a payload host completely alien to the package's advertised purpose. Any consumer that imports and uses the middleware (the obvious Express-style API shape) executes arbitrary remote code controlled by whoever currently owns the paste.

Database specific

{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-006879",
            "import_time": "2026-06-17T05:45:41.944510336Z",
            "versions": [
                "1.0.2"
            ],
            "source": "amazon-inspector",
            "modified_time": "2026-06-17T04:20:22Z",
            "sha256": "063b7e2667c434784d0b5d2ce333ea700fbc17571da3f5f4fc7d0f03ac406bd0"
        }
    ]
}

References

https://www.npmjs.com/package/req-parmas-valid/v/1.0.2

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / req-parmas-valid

Package

Name: req-parmas-valid; View open source insights on deps.dev
Purl: pkg:npm/req-parmas-valid

Affected ranges

Affected versions

1.*

1.0.2

Database specific

cwes

[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/req-parmas-valid/MAL-2026-5991.json"

indicators

{
    "package_integrity": [
        {
            "filename": "req-parmas-valid-1.0.2.tgz",
            "hashes": {
                "sha1": "4d132ce87bdeedf6ad055a4751e0039e3d8ce0a3",
                "sha512_sri": "sha512-W+pSh5CRFQSFs32Iw3SQ/BrnIgUeppGeOCuCJ/sQsMWQtSH6wu8HZPR2OzkN8ERTeMfpKKd1QRo17x3TR7z2pQ=="
            }
        }
    ],
    "evidence_files": [
        {
            "path": "lib/callers.js",
            "sha256": "2fd0ceb7b81d7b8ce9bc75aac88b67182d01b216767d8a25512025ec4ca99c07",
            "tlsh": "5301cb8f70ac545c09b013f6bb2be436f622a56b390281d1375cc7421f7699d6643eee"
        },
        {
            "path": "package.json",
            "sha256": "0bb4f8160350702ffe349843c1ccacf8a6f4424307688ddbf2fc728e7e1a6295",
            "tlsh": "64415220cc6a9d931ec929e5697d5603b1a0e41bce41bc0d778a638c4f4e46f32b8f6d"
        }
    ]
}