MAL-2026-6212

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@briskforge/envcheck/MAL-2026-6212.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-6212

Published

2026-06-19T15:12:55Z

Modified

2026-06-19T15:47:24.247717846Z

Summary

Malicious code in @briskforge/envcheck (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (09dba573f5d6cb00b09562870f2148b3e539786f5d801f2a263338301d759313)

The package advertises itself as a tiny environment-variable validator but ships lib/preflight.js, a heavily obfuscated (obfuscator.io string-array rotation, RC4 decoder, ~1228-entry string array, control-flow flattening) ~277KB bundle that runs on every call to the package's main entry point: lib/index.js invokes preflight.runPrepare() at the top of envcheck(). After deobfuscation, lib/preflight.js performs an HTTPS GET to a remote endpoint, AES-256-GCM-decrypts the response using hardcoded key/IV constants embedded in the bundle, writes the decrypted bytes to a cache directory, and spawns them detached via process.execPath / sh with stdio:'ignore' and windowsHide:true. The module also exports onInstall() and self-executes when run as a script (if (require.main === module) { onInstall(); }), with a BRISKFORGEE13FTAG environment marker used as an anti-double-exec guard. The remote source is mutable and the decrypted payload is opaque, so any installer that imports the package — or runs the file directly — executes whatever bytes the operator chooses to serve, with no integrity checks. Package metadata compounds the deception: repository.url, bugs.url, and homepage all point at https://github.com/validatorjs/validator.js, an unrelated well-known OSS project, while the publisher is an unrelated ProtonMail account (briskforge@pm.me) with no corresponding GitHub presence — a deliberate impersonation to borrow legitimacy from validatorjs on the npm listing page.

Database specific

{
    "malicious-packages-origins": [
        {
            "sha256": "09dba573f5d6cb00b09562870f2148b3e539786f5d801f2a263338301d759313",
            "source": "amazon-inspector",
            "modified_time": "2026-06-19T15:12:55Z",
            "versions": [
                "0.5.5"
            ],
            "id": "IN-MAL-2026-007078",
            "import_time": "2026-06-19T15:41:55.645473286Z"
        }
    ]
}

References

https://www.npmjs.com/package/@briskforge/envcheck/v/0.5.5

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / @briskforge/envcheck

Package

Name: @briskforge/envcheck; View open source insights on deps.dev
Purl: pkg:npm/%40briskforge%2Fenvcheck

Affected ranges

Affected versions

0.*

0.5.5

Database specific

cwes

[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@briskforge/envcheck/MAL-2026-6212.json"

indicators

{
    "evidence_files": [
        {
            "sha256": "26ddfae644673e0ad65b63caaaf67c0f7dc6c2b2b4127bb5271f8d03fb62091a",
            "tlsh": "6a449730b3c07c9425479f7b332ef5e5f92e5fa934a8088bd065bc64a6ea915dad0730",
            "path": "lib/preflight.js"
        },
        {
            "sha256": "ce6267dc0815b70056d905a964d70a1e61c7709d3efb9094756e50ae5a379fe4",
            "tlsh": "540104b5c52428971fc876f49ce951c3a2a14807cc64fc0926d3012c97ddea712fd1bc",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-+Ttoy2lN1+0bDees1E/xPulUHjiFLpi08djOdarmd+SlmVQKNmM6LIbr0273qbE4BJKCuylTC4fZYqDxKSRYnA==",
                "sha1": "a8611562149aaa0e5f0107953073aa38813ecd16"
            },
            "filename": "envcheck-0.5.5.tgz"
        }
    ]
}