{"id":"MAL-2026-3311","summary":"Malicious code in path-addon (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (11d09848fb828ae851ef7b905f793e3b5876ee2a5ef4b4f8bf06d631ea904d78)\nOn require('path-addon'), top-level code in path.js fetches a base64-encoded URL (decoding to https://www.jsonkeeper.com/b/YEHJY) and passes the response's `content` field directly to eval(), giving whoever controls that paste arbitrary code execution inside any process that imports the package. The URL is mutable and hosted on an anonymous public paste service, so the executed bytes can change at any time without a package update. The package's name and README (`This is an exact copy of the NodeJS 'path' module`) impersonate Node.js's built-in `path` module to lure developers into installing it via typo or confusion. The `author` field is empty and the dependency list (`execp`, `request`, `axios`) provides the network/exec primitives used by the dropper. This satisfies both the import-time remote-code-execution and typosquat-with-payload patterns.\n\n## Source: ossf-package-analysis (4aac3da4c776f814c79af215bfde0f1ee2c3db50e9b18997447f28e9d04df88a)\nThe OpenSSF Package Analysis project identified 'path-addon' @ 1.0.4 (npm) as malicious.\n\nIt is considered malicious because:\n\n- The package communicates with a domain associated with malicious activity.\n\n- The package executes one or more commands associated with malicious behavior.\n","modified":"2026-05-26T06:02:46.311737470Z","published":"2026-05-01T07:11:33Z","database_specific":{"malicious-packages-origins":[{"versions":["1.0.4"],"source":"ossf-package-analysis","import_time":"2026-05-04T03:13:19.749729318Z","modified_time":"2026-05-01T07:11:33Z","sha256":"4aac3da4c776f814c79af215bfde0f1ee2c3db50e9b18997447f28e9d04df88a"},{"versions":["1.0.4"],"source":"amazon-inspector","import_time":"2026-05-12T07:28:51.773167504Z","modified_time":"2026-05-12T06:53:21Z","sha256":"1f1ee3f4c05bbe24c4113835e304dd3ee650c0a9eee8a4d62046283612827742"},{"versions":["1.0.6"],"source":"ossf-package-analysis","import_time":"2026-05-26T00:54:40.033890594Z","modified_time":"2026-05-25T17:27:33Z","sha256":"841010d222011fd6020bd7fc04307bbf20506c3fa1837fb14c4ec50996458a76"},{"versions":["1.0.5"],"source":"amazon-inspector","import_time":"2026-05-26T05:53:07.668659711Z","modified_time":"2026-05-25T15:35:01Z","id":"IN-MAL-2026-004708","sha256":"dd3198bde6aa2ea1b04043cb0a16d831667118334a13c759c7097261933457a1"},{"versions":["1.0.5"],"source":"amazon-inspector","import_time":"2026-05-26T05:53:07.508831951Z","modified_time":"2026-05-25T15:34:51Z","id":"IN-MAL-2026-004707","sha256":"0e17241453cc8d0c8c3ce06b18aa75eaca0799c9af55e08d406e2c5fed41a695"},{"versions":["1.0.6"],"source":"amazon-inspector","import_time":"2026-05-26T05:53:09.369780288Z","modified_time":"2026-05-25T16:22:50Z","sha256":"11d09848fb828ae851ef7b905f793e3b5876ee2a5ef4b4f8bf06d631ea904d78","id":"IN-MAL-2026-004721"},{"versions":["1.0.6"],"source":"amazon-inspector","import_time":"2026-05-26T05:53:09.513367294Z","modified_time":"2026-05-25T16:22:55Z","sha256":"4d7ce32d8902775c2d8d86acb27650f28f454f623487504019f5ee4388f0c8ac","id":"IN-MAL-2026-004722"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/path-addon/v/1.0.5"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/path-addon/v/1.0.6"}],"affected":[{"package":{"name":"path-addon","ecosystem":"npm","purl":"pkg:npm/path-addon"},"versions":["1.0.4","1.0.6","1.0.5"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/path-addon/MAL-2026-3311.json","indicators":{"domains":["www.jsonkeeper.com"],"package_integrity":[{"hashes":{"sha512_sri":"sha512-61gD0Y6RUnuB0mAVP3Xw6IjjjxTjUpWRbK89PzAhVRG60TfTRv8CNc9XLjBEJs+KpE0PWYsbbd+DyzvnQSoHYw==","sha1":"e31fdedd8ffeee18b4dfa68129407959c824c723"},"filename":"path-addon-1.0.5.tgz"}],"evidence_files":[{"path":"path.js","tlsh":"897296045945654a9a3677b0df0a340ef77688f35315ab00f89ce6502f72e78a2feed8","sha256":"266311c35a81980e7c59d5d12dcbcc6aaf8b0a4fc5ab082a57586efd13e68baa"},{"path":"README.md","tlsh":"2dd0978c0383312761ac4703faa680e28d02e4cd4723100078ce5bf0a2b1da1402610e","sha256":"c4c84bbc00493a9ac804f2dabcfd2767e9408ab280a87c12d14c887bfd81bf81"}]},"cwes":[{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"},{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"},{"name":"OpenSSF: Package Analysis","contact":["https://github.com/ossf/package-analysis","https://openssf.slack.com/channels/package_analysis"],"type":"FINDER"}]}