{"id":"MAL-2026-2930","summary":"Malicious code in path-internal (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (5393cf6d8cf49c2550e7cc90ff3de58b1e97bdc89183f63beae60b3e46b9d2e0)\nThe package presents itself as a copy of the Node.js core `path` module (name `path-internal`, README: \"exact copy of the NodeJS 'path' module\") and ships the upstream Joyent path implementation with a malicious dropper spliced between `posix.basename` and `posix.extname` in `path.js`. On `require('path-internal')`, the module decodes a base64-encoded URL (`https://www.jsonkeeper.com/b/YCW2F`, stored under the misleading variable name `randomStringRe`), fetches the JSON document at that URL, and passes `data.content` straight to `eval()`. A second identical IIFE for `https://www.jsonkeeper.com/b/TPQHE` is present (commented out) under `tokenStringRe`. jsonkeeper.com is an anonymous, mutable paste host: the attacker can change the served payload at any time to execute arbitrary code in-process on every installer that imports the package. The base64 obfuscation, the regex-shaped decoy variable names, the splice into a verbatim copy of a Node stdlib module, and the typosquat name (with the README also confusingly suggesting `npm install --save path-external`) collectively confirm malicious intent rather than negligence.\n\n## Source: ossf-package-analysis (37a46ea303cb680cff00791b29be183770a5eb1edaef69ce37b97327243deeea)\nThe OpenSSF Package Analysis project identified 'path-internal' @ 1.0.10 (npm) as malicious.\n\nIt is considered malicious because:\n\n- The package communicates with a domain associated with malicious activity.\n\n- The package executes one or more commands associated with malicious behavior.\n","modified":"2026-05-26T06:02:49.021846121Z","published":"2026-04-14T10:53:25Z","database_specific":{"malicious-packages-origins":[{"modified_time":"2026-04-14T10:53:25Z","source":"ossf-package-analysis","versions":["1.0.10"],"import_time":"2026-04-20T04:35:28.98285502Z","sha256":"37a46ea303cb680cff00791b29be183770a5eb1edaef69ce37b97327243deeea"},{"modified_time":"2026-04-17T20:50:36Z","source":"ossf-package-analysis","sha256":"3ffd83abacf171f62d4ab24cb566309928d5ae7d0fa65b7b8dd9cb6adafb0b99","import_time":"2026-04-20T04:35:29.310441798Z","versions":["1.0.11"]},{"modified_time":"2026-04-23T20:43:56Z","source":"amazon-inspector","sha256":"abc4831453df57bac423574143b194320835024fc24fdc838ee77b08db8a4e52","import_time":"2026-04-23T20:49:13.97191322Z","versions":["1.0.10","1.0.11"]},{"modified_time":"2026-05-01T07:37:53Z","source":"ossf-package-analysis","sha256":"69a980bf55ae1f73da093b3b7c1a29a2036d779a4eaefa932d35a7190bef8f56","import_time":"2026-05-04T03:13:19.953289264Z","versions":["1.0.12"]},{"modified_time":"2026-05-25T17:03:12Z","source":"ossf-package-analysis","versions":["1.0.14"],"import_time":"2026-05-26T00:54:39.689491526Z","sha256":"b6bf7ad436a59244e2afc4824dd817d97fea9639a779630425bba77546be2708"},{"modified_time":"2026-05-25T15:28:53Z","source":"amazon-inspector","versions":["1.0.13"],"import_time":"2026-05-26T05:53:07.00310722Z","sha256":"b6f9fdab17c04f83092e8be5cd40659ff6a7fd4ba936ee30fd1ae03e92311e2e","id":"IN-MAL-2026-004702"},{"modified_time":"2026-05-25T16:14:35Z","source":"amazon-inspector","versions":["1.0.14"],"import_time":"2026-05-26T05:53:09.06108946Z","sha256":"2e41b4e12365824a7df50e3711c5c1d31e64ca4972e2571fa79082d18efa1844","id":"IN-MAL-2026-004718"},{"modified_time":"2026-05-25T16:10:18Z","source":"amazon-inspector","sha256":"5393cf6d8cf49c2550e7cc90ff3de58b1e97bdc89183f63beae60b3e46b9d2e0","import_time":"2026-05-26T05:53:08.930672262Z","versions":["1.0.14"],"id":"IN-MAL-2026-004717"},{"modified_time":"2026-05-25T15:28:53Z","source":"amazon-inspector","sha256":"a19a0df6f7e1346a46e8a6d85d06ecf9fc66090ecd3dd5f017c5308a1525bf7f","import_time":"2026-05-26T05:53:06.91103367Z","versions":["1.0.13"],"id":"IN-MAL-2026-004701"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/path-internal/v/1.0.14"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/path-internal/v/1.0.13"}],"affected":[{"package":{"name":"path-internal","ecosystem":"npm","purl":"pkg:npm/path-internal"},"versions":["1.0.10","1.0.11","1.0.12","1.0.14","1.0.13"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/path-internal/MAL-2026-2930.json","cwes":[{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"}],"indicators":{"evidence_files":[{"tlsh":"6182a5045946255a9a3677b0df0a340ef77684f34315ab00f89ce6502f72e78a2feed8","path":"path.js","sha256":"756a8386bde78c2359fa7822a7d5a073fc7dd73d9022f2b6b221b57d267788aa"},{"tlsh":"e2e0df31cd46ec3304e522a43d35461ba1a18d4b0806f80923829b4c9b8e5afa0b83ac","path":"package.json","sha256":"25f7cc92174323df15dc190277845dc2a891a4b153e811f344c780f6268b1eac"}],"package_integrity":[{"filename":"path-internal-1.0.14.tgz","hashes":{"sha512_sri":"sha512-SGhhcA9/55KjQFUm0NK0aIaSEIm0CiTbNFMm4qICfUYfazXSQxQe9Dbb63C0Z9qjkH2h44cZheYtl+s3UH3LPw==","sha1":"2bfd7c233875c9c083ac2ab6788b96c152c77310"}}],"domains":["www.jsonkeeper.com"]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"},{"name":"OpenSSF: Package Analysis","contact":["https://github.com/ossf/package-analysis","https://openssf.slack.com/channels/package_analysis"],"type":"FINDER"}]}