MAL-2026-6211

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@apiwizards/auth-middleware/MAL-2026-6211.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-6211

Published

2026-06-19T15:03:53Z

Modified

2026-06-19T15:47:24.123892365Z

Summary

Malicious code in @apiwizards/auth-middleware (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (ba0f33946c3dd0624d21c0e99beb12f22b880bc126a3474753b38a9799fc5293)

The package advertises itself as auth middleware but its main entry (index.js) is a 21KB obfuscator.io-packed file that, on require, performs a hidden download-and-execute pipeline. The single-file main uses an RC4-decoded 273-entry string array and control-flow flattening to conceal its require targets and network destination. On load it requires fs/os/path/childprocess plus an HTTP client, installs no-op handlers for uncaughtException/unhandledRejection to suppress errors, constructs a host string via chained replaceAll calls on an obfuscated literal, performs an HTTP GET, writes the response body to disk with flag 'w+', and then invokes childprocess.exec on the fetched bytes with windowsHide:true and cwd=process.cwd(). Any service that imports this package executes attacker-controlled remote code in its process context. The package.json has empty description and author and uses a generic name (@apiwizards/auth-middleware) consistent with namespace abuse targeting developers searching for an auth library.

Database specific

{
    "malicious-packages-origins": [
        {
            "sha256": "ba0f33946c3dd0624d21c0e99beb12f22b880bc126a3474753b38a9799fc5293",
            "source": "amazon-inspector",
            "modified_time": "2026-06-19T15:03:53Z",
            "versions": [
                "4.7.0"
            ],
            "id": "IN-MAL-2026-007075",
            "import_time": "2026-06-19T15:41:55.448208979Z"
        }
    ]
}

References

https://www.npmjs.com/package/@apiwizards/auth-middleware/v/4.7.0

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / @apiwizards/auth-middleware

Package

Name: @apiwizards/auth-middleware; View open source insights on deps.dev
Purl: pkg:npm/%40apiwizards%2Fauth-middleware

Affected ranges

Affected versions

4.*

4.7.0

Database specific

cwes

[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@apiwizards/auth-middleware/MAL-2026-6211.json"

indicators

{
    "evidence_files": [
        {
            "sha256": "a8cf7aea481751cd84e6671ed5be2de5360ee1e316c7733b34735084996618fb",
            "tlsh": "709296c83bc1f0a05333f0b7ba1bb0a6e1695c8cb2499445f797b498fd68714e4967a8",
            "path": "index.js"
        },
        {
            "sha256": "e18a36b14a42b6261f197d59024f4be723bd868b05ff187a160d57aa0910a632",
            "tlsh": "a0e072242a72043304c822250c2da423b6a2cf6f042c3c0823cf692c83ce03328fe34c",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-3YZSLSmZ9/pe1fL1whkculi+4CTM9gyzJNkJGlwndjkgDlVMHxvfjhg8dKfiqTsu91GSVsPJIKfD6Ud51laTng==",
                "sha1": "adfbacc90cccbe74061157b5ea2be460a270e980"
            },
            "filename": "auth-middleware-4.7.0.tgz"
        }
    ]
}