{"id":"MAL-2026-10151","summary":"Malicious code in buffer-util-internal (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (d329e426a3af00dc4cb53c8535a3e53848f09a1b80e561f84f29c77bffe746d7)\nPackage impersonates Feross Aboukhadijeh's widely-used `buffer` package, copying its author, repository, contributors, and description metadata while publishing under the name `buffer-util-internal`. The main module `index.js` contains a top-level IIFE that base64-decodes a hardcoded URL (decoding to https://www.jsonkeeper.com/b/PT0ON), fetches a JSON document from that anonymous paste host, and passes the response's `content` field directly to `eval`. The destination URL is hidden behind a variable named `tokenStringRe` with a misleading `// Random string to generate strong random value` comment, alongside a second base64 string referencing a sibling paste id. Because the fetched content is attacker-mutable, every consumer that requires this package executes whatever JavaScript the paste host serves at that moment — a full remote code execution primitive on the installer at require time. The package also declares unusual dependencies (axios, execp, request) inconsistent with the legitimate `buffer` package.\n","modified":"2026-07-10T17:17:01.884296906Z","published":"2026-07-10T16:54:54Z","database_specific":{"malicious-packages-origins":[{"source":"amazon-inspector","import_time":"2026-07-10T17:10:16.126237682Z","modified_time":"2026-07-10T16:55:04Z","sha256":"d329e426a3af00dc4cb53c8535a3e53848f09a1b80e561f84f29c77bffe746d7","versions":["1.0.13"],"id":"IN-MAL-2026-009668"},{"import_time":"2026-07-10T17:10:16.081923438Z","source":"amazon-inspector","modified_time":"2026-07-10T16:54:54Z","id":"IN-MAL-2026-009667","versions":["1.0.14"],"sha256":"f3a255421103fb27bb0157b46a493187a59fab17fc5b9e6f91bc84359b4225d2"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/buffer-util-internal/v/1.0.13"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/buffer-util-internal/v/1.0.14"}],"affected":[{"package":{"name":"buffer-util-internal","ecosystem":"npm","purl":"pkg:npm/buffer-util-internal"},"versions":["1.0.13","1.0.14"],"database_specific":{"cwes":[{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."},{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/buffer-util-internal/MAL-2026-10151.json","indicators":{"evidence_files":[{"tlsh":"2751952bcc9a4c6b0ab467f5a93e1a0af521472f4490480fb5bf1a8d4ff56a7118df1c","sha256":"15a480e40f9d5ca47787ad5bfa63329b4743904506825322025771a6fb5e1be1","path":"package.json"},{"tlsh":"805353022e5251274777b33d984f950efb36e427462688c8b4ac84502fb5964cafbefd","path":"index.js","sha256":"259fe955fae02f969363637eb267fa01755fec71c03eaa9d5e7f0cafc7a08015"}],"package_integrity":[{"hashes":{"sha1":"3a9a63692c7449a5352c78a7282983a3fb4e8400","sha512_sri":"sha512-BGQ+JtIa4SyjqVemUUbUGBMInmoa4Z5jtuBJafNMh3bUS6+M8HT6W2yArGgAhPznCjZ/xByNx7kGWBCczKdV2A=="},"filename":"buffer-util-internal-1.0.13.tgz"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}