{"id":"MAL-2026-4475","summary":"Malicious code in aes-decode-runner-pro (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (2d889fb0fd8c7bc4564c187d81448427b737ff7fe4b78a7ffe6a23c429b83b93)\nOn `require('aes-decode-runner-pro')`, the entry point `index.js` immediately invokes `pkg.run()` (lines 1-3: `const pkg = require(\"./custom-codec\"); pkg.run();`), which AES-256-GCM-decrypts a hardcoded ciphertext bundle using a hardcoded passphrase and salt shipped in `src/config/defaults.js` (`DEFAULT_AES_PASSPHRASE = \"default-dev-passphrase\"`, `DEFAULT_AES_SALT = \"encode-npm-c-salt\"`, `DEFAULT_FINAL_ENCODED_TEXT = \"wHKEM3UBnIY0UBU6:...\"`), passes the result through two additional custom codecs, and finally executes the cleartext with `new Function(String(decoded.decodedPlainText))()` at `src/pipeline/custom-codec-pipeline.js:54`. The README advertises only library functions and does not disclose this auto-execution behavior. Layered obfuscation (position codec + encode-decode codec + AES-GCM with an embedded key) whose sole in-package consumer is the load-time `run()` entry serves only to hide executable code from static review; the consuming developer cannot determine what runs without first executing it. The decrypted payload is fully attacker-controlled and runs in the installer's Node process whenever any downstream module imports this package.\n","modified":"2026-05-26T17:01:46.219734979Z","published":"2026-05-25T16:36:18Z","database_specific":{"malicious-packages-origins":[{"modified_time":"2026-05-25T16:44:05Z","versions":["1.0.3"],"import_time":"2026-05-26T05:53:09.849927162Z","sha256":"21c4286de42cc9b421b7bfb8451075f5fac3d004439cc19a78ffd3d6103e2935","source":"amazon-inspector","id":"IN-MAL-2026-004725"},{"modified_time":"2026-05-25T16:40:25Z","versions":["1.0.2"],"import_time":"2026-05-26T05:53:09.755170225Z","sha256":"7d2e4d5ff40593da9616ad9c185d324e9bd84253c7e73c63bbefb0e8ba84a5f0","source":"amazon-inspector","id":"IN-MAL-2026-004724"},{"modified_time":"2026-05-25T17:15:20Z","versions":["1.0.5"],"import_time":"2026-05-26T05:53:10.283669433Z","sha256":"abc470bfaa7f07d0b5c447c9340ea97f9623545acc703b8a143d4a49737bb50a","source":"amazon-inspector","id":"IN-MAL-2026-004729"},{"modified_time":"2026-05-25T16:36:18Z","versions":["1.0.1"],"import_time":"2026-05-26T05:53:09.607864311Z","sha256":"2d889fb0fd8c7bc4564c187d81448427b737ff7fe4b78a7ffe6a23c429b83b93","source":"amazon-inspector","id":"IN-MAL-2026-004723"},{"modified_time":"2026-05-26T15:33:27Z","versions":["1.0.7"],"import_time":"2026-05-26T16:47:31.858420721Z","sha256":"3343f3d9d7dfd91a206c28e4ec52f4615b830a46638d61e8dcea5a646c60dee1","source":"amazon-inspector","id":"IN-MAL-2026-004931"},{"modified_time":"2026-05-26T15:54:00Z","versions":["1.0.8"],"import_time":"2026-05-26T16:47:31.944290505Z","sha256":"5b57b940dbe6e5a732434a0f96f3d6e2253b147036af520642a17941e052b175","source":"amazon-inspector","id":"IN-MAL-2026-004933"},{"modified_time":"2026-05-26T15:29:45Z","versions":["1.0.6"],"import_time":"2026-05-26T16:47:31.818950899Z","source":"amazon-inspector","sha256":"62b62112b1522fd678caca77d9627e6cf0bb1187188b1946655ae69e8efb1271","id":"IN-MAL-2026-004930"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/aes-decode-runner-pro/v/1.0.3"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/aes-decode-runner-pro/v/1.0.2"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/aes-decode-runner-pro/v/1.0.5"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/aes-decode-runner-pro/v/1.0.1"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/aes-decode-runner-pro/v/1.0.7"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/aes-decode-runner-pro/v/1.0.8"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/aes-decode-runner-pro/v/1.0.6"}],"affected":[{"package":{"name":"aes-decode-runner-pro","ecosystem":"npm","purl":"pkg:npm/aes-decode-runner-pro"},"versions":["1.0.3","1.0.2","1.0.5","1.0.1","1.0.7","1.0.8","1.0.6"],"database_specific":{"cwes":[{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/aes-decode-runner-pro/MAL-2026-4475.json","indicators":{"evidence_files":[{"path":"index.js","sha256":"ff42378f9099a83109c6143d8daad35d740db606a89639e61ece311100aef5f1","tlsh":"bea0247143f13370301440c0d005055144cfc3d3314070404d45d5d041cdc400133c40"},{"path":"src/config/defaults.js","sha256":"737deb01c41226ede865573174fa8787cdbf461cf78d8cf298bf9765b2b60aa3","tlsh":"cd01b8207fa907a979601fe854386ce7b463f43ab50bb2850c3a82d242ee44304a568c"}],"package_integrity":[{"filename":"aes-decode-runner-pro-1.0.3.tgz","hashes":{"sha512_sri":"sha512-8h37en6h3BeBKj6GJgGYMQ6dev2kzXrdo/SmFnbmmX8JtyuRHoRFUb6Cc6FuSCHZGsbJxxDX9uyXUPzNjNFXoA==","sha1":"11a8d8b7a152141f33133341294808a594772247"}}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}