{"id":"MAL-2026-2798","summary":"Malicious code in request-easy-validator (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (59057b0a6f845ac1e8bfa571c4e26295e469abdd5c6faa2e68007ef78816ec9b)\nrequest-easy-validator impersonates the popular `request` package (cloned README, bugs URL points at github.com/request/request, source is a fork of `request`) and ships a hidden remote-code-execution dropper. index.js exports a `middleware` function (also exposed as default, `.reqValidator`, and `.request`) that, on any invocation by the consumer, spawns a detached `node lib/callers.js` child with `stdio: 'ignore'` and `child.unref()` to hide it from the parent process. lib/callers.js then issues an HTTPS GET to https://jsonkeeper.com/b/PWEH9 (an anonymous, mutable, attacker-controlled paste host) with header `x-secret-key: _`, takes the `.Cookie` field from the response, and passes it to `new Function.constructor('require', s)` invoked with the live `require` — granting the paste-host operator arbitrary Node.js code execution with full module access on any server using this package. The payload URL is mutable, so the attacker can change the executed code at any time without republishing the package.\n","modified":"2026-05-26T06:02:53.294542397Z","published":"2026-04-16T10:15:30Z","database_specific":{"malicious-packages-origins":[{"source":"reversing-labs","id":"RLMA-2026-02035","import_time":"2026-04-16T15:39:16.491459746Z","versions":["1.1.0","1.2.0","1.2.1"],"sha256":"8edcb2f860332561b7d9050d2ce2e2dcb82eecbbc51dc8c659ca4e741f70de1b","modified_time":"2026-04-16T10:15:30Z"},{"source":"amazon-inspector","modified_time":"2026-04-23T20:43:56Z","import_time":"2026-04-23T20:48:59.140631663Z","versions":["1.1.0","1.2.0","1.2.1"],"sha256":"f6016a67de1924ce3156de3c59cb6f311ad9fe0151c129cd63dc56007576a369"},{"source":"amazon-inspector","id":"IN-MAL-2026-003458","import_time":"2026-05-26T05:50:40.87663445Z","versions":["1.0.6"],"sha256":"59057b0a6f845ac1e8bfa571c4e26295e469abdd5c6faa2e68007ef78816ec9b","modified_time":"2026-05-20T04:12:52Z"},{"source":"amazon-inspector","modified_time":"2026-05-20T04:12:27Z","import_time":"2026-05-26T05:50:40.784672454Z","versions":["1.0.7"],"sha256":"59c86157ff92828c8f05107e9b16169821d937ef657d7fcbb19d6862242c07af","id":"IN-MAL-2026-003457"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/request-easy-validator/v/1.0.6"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/request-easy-validator/v/1.0.7"}],"affected":[{"package":{"name":"request-easy-validator","ecosystem":"npm","purl":"pkg:npm/request-easy-validator"},"versions":["1.1.0","1.2.0","1.2.1","1.0.6","1.0.7"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/request-easy-validator/MAL-2026-2798.json","cwes":[{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"}],"indicators":{"evidence_files":[{"path":"lib/callers.js","tlsh":"7001cb8f70ac545c09b013f6bb1fe436f621a46b390291d0375c87421f769ad6603eee","sha256":"9e82b0f3bea4634d83caf9fb953b559d92f0a1980e28439500e01d62e909e2d2"},{"path":"package.json","tlsh":"72415220cc6a8c931ec929e5687d5643b1a0e41bce41bc1d778a639c4f4e46f32b8f6d","sha256":"99eb2633488f428557d3222c324fdcd95fe719ab092fa3bb34f2263f79dd15bd"},{"path":"index.js","tlsh":"87a1648526e373519aebb2d1e81f4229b675d223320e1a7178c587d81f0cc69d3b3dd5","sha256":"356f24fff7af39ef7026879a2c571b3c81ee0ecf880078e24b25be69fe5642d6"}],"package_integrity":[{"filename":"request-easy-validator-1.0.6.tgz","hashes":{"sha1":"cbc47e82cba4fdfeeab1ca30becb9e459061e49c","sha512_sri":"sha512-uyFVWy1EhsZI9PRvTMCwRYpUomfFeGVoGUfJ1F4nXRxtUMT/sigHG+5KbTF5zOuaJsXpomaUmRKr3+gdj1Mccw=="}}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"},{"name":"ReversingLabs","contact":["https://www.reversinglabs.com"],"type":"FINDER"}]}