{"id":"MAL-2026-10162","summary":"Malicious code in @bcryptln/becryptjs (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (cb86f48a4b796f17dc1017a92153b88afce1f15690687eaa422162d9dd9f347d)\nPackage @bcryptln/becryptjs impersonates the widely-used bcryptjs library (its own metadata still references the upstream dcodeIO/bcrypt.js project). The ESM entrypoint index.js contains a legitimate copy of bcryptjs followed by whitespace padding and an appended obfuscated block that runs unconditionally when a consumer does `import '@bcryptln/becryptjs'`. The trailing code hoists `require`, `module`, `__dirname`, and `__filename` onto globals, then uses two custom positional string-shuffle decoders with hardcoded numeric seeds to derive the identifier `Function`, constructs a runtime function from a decoded string, and invokes it. Because `require` is re-exposed to the constructed function, the payload has full CommonJS reach (fs, child_process, http, net) from within an ESM module. The CommonJS/UMD entrypoint (umd/index.js) is a clean copy of upstream with no payload — the malicious code is placed only on the `import` conditional export, targeting modern ESM consumers while keeping the `require` path benign to defeat diff-against-upstream review. The combination of name impersonation, hidden payload appended after whitespace padding, custom string-shuffle obfuscation whose only purpose is to hide `Function` and the payload body, dynamic code construction with re-exposed CommonJS primitives, and UMD/ESM split are jointly consistent with an intentional supply-chain trojan.\n","modified":"2026-07-10T18:16:50.355263259Z","published":"2026-07-10T17:16:37Z","database_specific":{"malicious-packages-origins":[{"import_time":"2026-07-10T18:05:59.568023453Z","versions":["3.0.8"],"id":"IN-MAL-2026-009688","source":"amazon-inspector","sha256":"187a8bc42e0b5b2b84a05196bf192df5cea272412f0f6c3dfb033e7a84efd12d","modified_time":"2026-07-10T17:16:53Z"},{"import_time":"2026-07-10T18:05:59.424757414Z","versions":["3.0.10"],"id":"IN-MAL-2026-009686","source":"amazon-inspector","sha256":"cb86f48a4b796f17dc1017a92153b88afce1f15690687eaa422162d9dd9f347d","modified_time":"2026-07-10T17:16:37Z"},{"import_time":"2026-07-10T18:05:59.493461351Z","versions":["3.0.11"],"id":"IN-MAL-2026-009687","source":"amazon-inspector","sha256":"dc61cae0736f2880d659ccadc0e57f0a6b555799721b71af48b68510c217f030","modified_time":"2026-07-10T17:16:45Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/@bcryptln/becryptjs/v/3.0.8"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@bcryptln/becryptjs/v/3.0.10"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@bcryptln/becryptjs/v/3.0.11"}],"affected":[{"package":{"name":"@bcryptln/becryptjs","ecosystem":"npm","purl":"pkg:npm/%40bcryptln/becryptjs"},"versions":["3.0.8","3.0.10","3.0.11"],"database_specific":{"indicators":{"evidence_files":[{"tlsh":"e9419961ccb08da30bd819d1f8399a12b271495b8c24bd16779e912c8f4e0ef15fe29e","path":"package.json","sha256":"1e790d92714abbcfcf34440af9b126a471d2c52a325edd77baeeaf7821c18986"},{"tlsh":"563309840ba721710923b93a572f9485b6b9a1370628fd55bc5c67b09fbf32cd2f1d88","path":"umd/index.js","sha256":"6a04e75ccbd3f5d622ca2a4dc4df6eeb514e0eef67372bf7bd36bdc1e7e38534"}],"package_integrity":[{"hashes":{"sha1":"f13e2a34533370ae2bf2c338e51de7ef7d76968c","sha512_sri":"sha512-aE2vcrmfgSkpno/ZP0xmT2RT+hyGDP57pkWa48bL9sZY/Dx+Ps9BJlAyq9onLX5CaemH3ZzV9lfxhnuOUVlxHg=="},"filename":"becryptjs-3.0.8.tgz"}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@bcryptln/becryptjs/MAL-2026-10162.json","cwes":[{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"},{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"},{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}