MAL-2026-6441

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/unifydata/MAL-2026-6441.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-6441

Published

2026-06-25T04:57:45Z

Modified

2026-06-25T06:31:21.849752454Z

Summary

Malicious code in unifydata (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (0c62d93328810f03f3aac73777f406eee1b3413e1c3320eb87f3445754dba9d3)

On require('unifydata'), index.js calls initPlugin() at module top level, performs an HTTPS GET to https://jsonkeeper.com/b/B40HL, JSON-parses the response, and executes the response's cookie field as JavaScript via new Function.constructor('require', body.cookie) — then immediately invokes the resulting function with the real require, granting it full Node module-loading capability. jsonkeeper.com is an anonymous, author-mutable JSON paste service; the bytes executed in any installer process are whatever the author has posted there at the time of import, with no pinning, hashing, or signature. The package presents itself with a header comment labeling it normalize-plus (ES6 safe version) and ships a benign-looking normalizePath helper as a decoy, while the published package name is unifydata — the mislabeled cover and unused utility code are consistent with a dropper masquerading as a routine helper. Any process that imports this package executes arbitrary attacker-controlled code with the privileges of that process.

Database specific

{
    "malicious-packages-origins": [
        {
            "sha256": "0c62d93328810f03f3aac73777f406eee1b3413e1c3320eb87f3445754dba9d3",
            "id": "IN-MAL-2026-007458",
            "source": "amazon-inspector",
            "modified_time": "2026-06-25T04:57:45Z",
            "versions": [
                "3.6.6"
            ],
            "import_time": "2026-06-25T06:26:40.545934216Z"
        }
    ]
}

References

https://www.npmjs.com/package/unifydata/v/3.6.6

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / unifydata

Package

Name: unifydata; View open source insights on deps.dev
Purl: pkg:npm/unifydata

Affected ranges

Affected versions

3.*

3.6.6

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/unifydata/MAL-2026-6441.json"

cwes

[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]

indicators

{
    "evidence_files": [
        {
            "sha256": "db06229179a2486e3923de79412d20d9a4815da145684bf15042225eb6789b40",
            "tlsh": "fc41ddda20fa6115c1a3e1810e8fc409b22ae1173359cac5b99c53546fe07a8a7e2f5a",
            "path": "index.js"
        }
    ],
    "package_integrity": [
        {
            "filename": "unifydata-3.6.6.tgz",
            "hashes": {
                "sha1": "a4031cfc2a8916e261b92ad735a6db3c3b5c8866",
                "sha512_sri": "sha512-EGhq19bWARdlqOvnSHSiGzOfWJzUn3TNrEIAvEdF7FV+KyZHr6/vQQSfzYRHZ0rCpigiOqfphbXfxQ6M748w4A=="
            }
        }
    ]
}