MAL-2026-6484

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/random-string-64/MAL-2026-6484.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-6484
Published
2026-06-25T22:58:50Z
Modified
2026-06-25T23:16:23.670366444Z
Summary
Malicious code in random-string-64 (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (9fea72321e7eb57feb094bc31de2393ec2a56903156e1257a062e40541785b96)

The package advertises itself as a 5-line random-string generator, but index.js (the declared main) contains a hardcoded AES-256-CBC ciphertext blob that is decrypted with a sha256-derived key and passed to globalThis.eval. The eval identifier is hidden by storing the strings ['error','vertex','length','delta','alphabetic'] and reconstructing the function name from the first letter of each entry ('e','v','a','l'). Execution is gated by node-env-detector checks (isCI / isNpmBot / isContainer / isVirtualMachineLikely): on automated/sandboxed hosts the package only logs a benign message, while on real developer workstations the decrypted JavaScript is executed when the exported getUniqueID(64) function is called. Any consumer that imports random-string-64 and invokes its documented API on a developer machine runs attacker-controlled code with the privileges of the calling process. The combination of opaque encrypted payload, eval-identifier obfuscation, and explicit anti-analysis gating is unambiguous supply-chain attack shape.

Database specific 
{
    "malicious-packages-origins": [
        {
            "sha256": "356cb4cebd8f7b30b014f32279670aee9beca2a356c7f778c343afb954db764e",
            "id": "IN-MAL-2026-007569",
            "source": "amazon-inspector",
            "modified_time": "2026-06-25T22:58:50Z",
            "versions": [
                "1.0.0"
            ],
            "import_time": "2026-06-25T23:00:35.049451629Z"
        },
        {
            "sha256": "9fea72321e7eb57feb094bc31de2393ec2a56903156e1257a062e40541785b96",
            "id": "IN-MAL-2026-007570",
            "source": "amazon-inspector",
            "modified_time": "2026-06-25T22:58:56Z",
            "versions": [
                "1.0.1"
            ],
            "import_time": "2026-06-25T23:00:35.097102401Z"
        }
    ]
}
References
Credits

Affected packages

npm / random-string-64

Package

Name
random-string-64
View open source insights on deps.dev
Purl
pkg:npm/random-string-64

Affected ranges

Affected versions

1.*
1.0.0
1.0.1

Database specific

source 
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/random-string-64/MAL-2026-6484.json"
cwes 
[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    },
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]
indicators 
{
    "evidence_files": [
        {
            "sha256": "358966aeea50b0195f9c8d14106e12caebf7d2bd44b2fd789c1f5931669481e2",
            "tlsh": "bd51c99a38767504178250ebc6bff80e123aba437844a78077cd66c68fe873895b2079",
            "path": "index.js"
        },
        {
            "sha256": "2ef681506356ca9514f9613a1b1ac81a4c6c8bc6bb52157cf69ca5e6e4dad5f9",
            "tlsh": "50e02b3d4e4185ca14b3a28212e793e00c02c0a03ce86aa8af82d4fa42818022838f24",
            "path": "readme.md"
        }
    ],
    "package_integrity": [
        {
            "filename": "random-string-64-1.0.0.tgz",
            "hashes": {
                "sha1": "4c0ad09d47041901cb517c94f45b9ecad967c161",
                "sha512_sri": "sha512-CzW2MdO5wBIOtGjPpOeZHeu5QMdgr31reVsVjkjU+LymD311fCRtx1qusspfGC5+7JlgrbnrbGhbrv7YU329tQ=="
            }
        }
    ]
}