-= Per source details. Do not edit below this line.=-
The package advertises plain math/formatter helpers but index.js contains a heavily obfuscated payload concealed inside the calculateTokenPrice function. The payload is hidden behind ~1500 leading tab characters of visual padding, then uses two seeded Fisher-Yates string-shuffler decoders and String.fromCharCode splicing to reconstruct the identifiers 'constructor', 'require', and 'module' at runtime. The code resolves Function via yLb[kqz] (a string-shuffled property lookup for 'constructor'), uses that Function constructor to build a decoder from one shuffled blob, decodes a second scrambled blob into JS source, and invokes that source via Function(...)(3004). It also assigns the CommonJS require and module bindings to globalThis (global[require]=require; global[module]=module), giving the decoded code access to any Node built-in (network, fs, child_process) regardless of how the package is imported. None of this behavior is documented in the README or exposed through the advertised API. The combination of multi-layer obfuscation, visual concealment via tab padding, dynamic eval of decoded literals, and forced global exposure of require/module is the canonical shape of a hidden remote-code-execution backdoor in an npm utility package — the decoded payload runs whenever calculateTokenPrice is called by a consumer.
{
"malicious-packages-origins": [
{
"versions": [
"1.1.0"
],
"id": "IN-MAL-2026-007459",
"import_time": "2026-06-25T06:26:40.657818753Z",
"modified_time": "2026-06-25T05:29:26Z",
"sha256": "81f8a194aa79844110dede95f5f8c798d05c04c08f1a4f5d8822124b17c65fa6",
"source": "amazon-inspector"
},
{
"sha256": "98ad20b73424aeaaf58831c2ff2b370fcb5062535fdcc0501bf92281ca169740",
"id": "IN-MAL-2026-007460",
"import_time": "2026-06-25T06:26:40.747975627Z",
"modified_time": "2026-06-25T05:29:31Z",
"versions": [
"0.2.0"
],
"source": "amazon-inspector"
}
]
}{
"evidence_files": [
{
"sha256": "0956c1b99ac68710864c32ffb75c5fcfc736d4a55ebd3909d4834fbd765b417b",
"tlsh": "6822098cba576e514b752770a91e5029ff605731a40fd981f3b8c8c26fe392482d7e0e",
"path": "index.js"
}
],
"package_integrity": [
{
"filename": "tokenization-util-1.1.0.tgz",
"hashes": {
"sha512_sri": "sha512-L0mH6swLcGLVRAWvvBUu/Z4BB8D9pcuUZOzlmTkFddfn8VYr8OtAADqs+o/eDf+lwJYJXXw4ysE1bqRjvbNjFg==",
"sha1": "f00de1b7b106bcc3c859896b292a862455b0d55a"
}
}
]
}
[
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
},
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
}
]
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/tokenization-util/MAL-2026-6440.json"