MAL-2026-6510

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@merceas/cross-fetch/MAL-2026-6510.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-6510

Published

2026-06-26T05:51:44Z

Modified

2026-06-26T06:46:30.006184774Z

Summary

Malicious code in @merceas/cross-fetch (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (5f6307129b7d9edcbd76ffc93c9d8a6ae146332951d5ce90e659afe1eec01127)

Package is published under the @merceas scope as cross-fetch and reuses the upstream cross-fetch README, homepage (github.com/lquixada/cross-fetch), and author metadata to impersonate the legitimate cross-fetch package. The package main, dist/node-ponyfill.js, contains decoy ponyfill code followed by two obfuscator.io-packed IIFEs that run when the module is require()d. The IIFEs dynamically import fs/os/path/https/http/crypto/url/child_process, AES-256-decrypt a URL constructed at runtime from four 32-byte hex Buffers, HTTPS-GET the payload (handling 301/302/303/307/308 redirects with exponential-backoff retries), write it under os.tmpdir()/<name>-<pid>/, chmod the file to 0755 (chmodSync(file, 0o1ed)), then execute it via bash -c <file> and additionally spawn a detached, unref()'d child with stdio:'ignore' and windowsHide:true for self-respawn / persistence. Obfuscation uses a string-array with numeric-IIFE shift, RC4-keyed base64 lookup, and an anti-tamper RegExp debugger self-test to hide the URL and command strings from static inspection. Importing this package — directly or as a transitive — executes attacker-controlled bytes on the installer's machine in any environment that loads the module (CI, build, production, developer workstation).

Database specific

{
    "malicious-packages-origins": [
        {
            "versions": [
                "3.1.12"
            ],
            "modified_time": "2026-06-26T05:51:44Z",
            "sha256": "5f6307129b7d9edcbd76ffc93c9d8a6ae146332951d5ce90e659afe1eec01127",
            "id": "IN-MAL-2026-007598",
            "source": "amazon-inspector",
            "import_time": "2026-06-26T06:28:53.100203378Z"
        }
    ]
}

References

https://www.npmjs.com/package/@merceas/cross-fetch/v/3.1.12

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / @merceas/cross-fetch

Package

Name: @merceas/cross-fetch; View open source insights on deps.dev
Purl: pkg:npm/%40merceas%2Fcross-fetch

Affected ranges

Affected versions

3.*

3.1.12

Database specific

cwes

[
    {
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code"
    }
]

indicators

{
    "package_integrity": [
        {
            "filename": "cross-fetch-3.1.12.tgz",
            "hashes": {
                "sha512_sri": "sha512-g9OiIa1Tyf1RS6I6igC7JFOSenkMR3APZt3yGWFmxIpK2UDUwiehe9vOmG/n4h6DBn69rtR4ERAaIynUnNbgPA==",
                "sha1": "c551eeb1e01d4a5c1bd84fa777ff1fb4a42ad79e"
            }
        }
    ],
    "evidence_files": [
        {
            "path": "package.json",
            "tlsh": "1a513f21c96c4ca309e560a4557e528371248a878ea07c1d33df422d8f1e6ef30bdeae",
            "sha256": "acbdb415bc5877768dfb63d6444050ce4f2cfa136902b1ff1d87f01e38657553"
        },
        {
            "path": "dist/node-ponyfill.js",
            "tlsh": "ed93f9857dea307f535290b3212f6292e52ddc5d6348c418e461dcedbf6422ce27eaac",
            "sha256": "62a7c6e9fcd26c6a108978a0039d466d0b5c0761093bf60efa4c96e4bd1b1e57"
        }
    ]
}

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@merceas/cross-fetch/MAL-2026-6510.json"