{"id":"MAL-2026-10098","summary":"Malicious code in fastify-addone (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (21b9e477cff478ab071039c18c3adb6577a07cc1d82687b9e7d7cd2594dc9ddf)\nThe package presents itself as fastify-plugin (name fastify-addone, repository/homepage/bugs fields point at fastify/fastify-plugin) and copies that project's source with a malicious statement inserted. lib/getPluginName.js contains a top-level statement that base64-decodes a URL via atob, fetches the JSON at https://www.jsonkeeper.com/b/HDXPP, and passes the returned content field to eval. This executes attacker-controlled JavaScript in the caller's process on any require('fastify-addone') (directly or via plugin.js). The destination is an anonymous, mutable third-party JSON-hosting service — not the publisher's infrastructure — and the payload URL is hidden behind base64 to evade casual review.\n","modified":"2026-07-09T23:02:00.635102184Z","published":"2026-07-09T22:16:42Z","database_specific":{"malicious-packages-origins":[{"id":"IN-MAL-2026-009582","versions":["5.1.0"],"source":"amazon-inspector","modified_time":"2026-07-09T22:16:42Z","import_time":"2026-07-09T22:56:36.59463216Z","sha256":"21b9e477cff478ab071039c18c3adb6577a07cc1d82687b9e7d7cd2594dc9ddf"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/fastify-addone/v/5.1.0"}],"affected":[{"package":{"name":"fastify-addone","ecosystem":"npm","purl":"pkg:npm/fastify-addone"},"versions":["5.1.0"],"database_specific":{"cwes":[{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/fastify-addone/MAL-2026-10098.json","indicators":{"package_integrity":[{"hashes":{"sha512_sri":"sha512-DoJCErrdswoCTvFo2qbmcLQ+ZEymcM4p5XcNfVnVZ5xY4D301jAKhtHBm6l4IVKyQSkD0yV0AqAJTzOljFZLGw==","sha1":"cbce8b1e4c8c5f91c9a7b86a378a48b1b748907f"},"filename":"fastify-addone-5.1.0.tgz"}],"evidence_files":[{"tlsh":"2701eba86edbbc11032f3084e1ce5088baeebd802829e540e3bc4b211f83d7598b000e","path":"lib/getPluginName.js","sha256":"86962d00e33c7d47bba169fea7e2c18f304a1232db8a36ea7e9929f7e241a5f6"},{"path":"package.json","tlsh":"eb319aa5c8681cb30fd81dd164ed4182b61645974c94fc9ab3df022c9f4da3b22f978d","sha256":"6e38a5f45193fa6d45bf7f98462a84e402186d4fd3a34cfa88d716ff4fd6d428"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}