MAL-2026-6536

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@krentzen/buffer-reverse/MAL-2026-6536.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-6536

Published

2026-06-26T20:21:45Z

Modified

2026-06-26T20:46:36.340104744Z

Summary

Malicious code in @krentzen/buffer-reverse (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (7b7fccd6dbb7ba8a92be0bcbb002f92c43ff0c5e4bb82666589834a7be69e6bf)

@krentzen/buffer-reverse impersonates the well-known buffer-reverse package (it copies the legitimate author, repo URL, README, and the genuine ~10-line reverse() function at the top of index.js as a cover story). Below that cover, index.js contains two ~46KB heavily obfuscated IIFEs (RC4 string-array decoder, anti-debug, control-flow flattening) that run at require() time. The decoded payload performs an import-time binary dropper sequence: it re-spawns the current Node process with childprocess.spawn(process.execPath, argv, {detached:true, stdio:'ignore', env:{...process.env, <marker>:set}}).unref() and returns in the parent (detaches from the consumer / npm install), then in the child issues an HTTPS GET (port 443) with full redirect handling (301/302/303/307/308), streams the response into a file under os.tmpdir(), writes a <file>.json sidecar containing {status, size, sha256, downloadedAt}, fs.chmodSync(file, 0o755), and childprocess.spawn(file, [], {detached:true, stdio:'ignore', windowsHide:true}).unref(). The fetched binary is unpinned, unsigned, and has no publisher tie-in. Any project that require()s this package executes attacker-controlled native code that survives the parent process.

Database specific

{
    "malicious-packages-origins": [
        {
            "versions": [
                "1.0.3"
            ],
            "modified_time": "2026-06-26T20:21:45Z",
            "sha256": "7b7fccd6dbb7ba8a92be0bcbb002f92c43ff0c5e4bb82666589834a7be69e6bf",
            "id": "IN-MAL-2026-007661",
            "source": "amazon-inspector",
            "import_time": "2026-06-26T20:38:47.655054661Z"
        }
    ]
}

References

https://www.npmjs.com/package/@krentzen/buffer-reverse/v/1.0.3

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / @krentzen/buffer-reverse

Package

Name: @krentzen/buffer-reverse; View open source insights on deps.dev
Purl: pkg:npm/%40krentzen%2Fbuffer-reverse

Affected ranges

Affected versions

1.*

1.0.3

Database specific

cwes

[
    {
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code"
    }
]

indicators

{
    "package_integrity": [
        {
            "filename": "buffer-reverse-1.0.3.tgz",
            "hashes": {
                "sha512_sri": "sha512-5WV0QoPkOJ0Jxhby8CN8Jdz4he2ho+tr1Aj7IeGrpCq0OZJMl4xpRH56pUulxLcuWkmPZYRebcdyNKjQEe/V9w==",
                "sha1": "6e19da71e241e3a143c97cea5c7a69c6555b74c2"
            }
        }
    ],
    "evidence_files": [
        {
            "path": "index.js",
            "tlsh": "49931b867eda707f535261f3112b6182e56d9ca9734c8504e162ccecbea423ce3666bc",
            "sha256": "43d1915e226a23be2198eb3815929cd84bf5a456f953ea9f146d6397457ed2c1"
        }
    ]
}

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@krentzen/buffer-reverse/MAL-2026-6536.json"