{"id":"MAL-2026-4501","summary":"Malicious code in btd-smart (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (3ad22b27351879a89349a1232ee5abb46bc589399ea710b9769526a8080b3199)\nThe package presents itself as a clone of juliangruber/balanced-match (stolen author identity 'Julian Gruber \u003cmail@juliangruber.com\u003e', verbatim README, identical API renamed btdSmart, placeholder homepage 'github.com/your-org/btd-smart'). Appended to the legitimate code in index.js is an obfuscated block that runs unconditionally when the module is required. A custom string-shuffle decoder reconstructs the identifier 'constructor' (and other strings) without any literal occurrences in the file, retrieves the Function constructor from a string prototype, builds a function from a decoded source body, and invokes it. Before invocation, the code stashes `require` and `module` onto `global` under decoder-produced keys so the Function-built code — which otherwise has no closure scope — gains filesystem, network, and process capabilities. The payload body is opaque (deterministic numerical shuffle with 0x7F-based escape tricks across two nested decoders), executes on every `require('btd-smart')`, and the legitimate balanced-match code above it has no obfuscation, confirming the appended block is purposefully hidden. Combined signals — typosquat with stolen identity, custom obfuscator, dynamic Function eval of a decoded blob at module load, deliberate global-smuggling of require/module — match the documented active-attack shape; no legitimate brace-matching utility needs any of these mechanisms.\n","modified":"2026-05-26T06:02:15.206526123Z","published":"2026-05-19T18:58:59Z","database_specific":{"malicious-packages-origins":[{"import_time":"2026-05-26T05:50:18.572440252Z","id":"IN-MAL-2026-003259","modified_time":"2026-05-19T19:12:27Z","versions":["1.0.2"],"sha256":"3ad22b27351879a89349a1232ee5abb46bc589399ea710b9769526a8080b3199","source":"amazon-inspector"},{"import_time":"2026-05-26T05:50:17.604544963Z","id":"IN-MAL-2026-003250","modified_time":"2026-05-19T18:58:59Z","versions":["1.0.3"],"sha256":"f99fec295e7e47a66efd1ddfef051e13f25e9139473356d8a79c1c1d612e2887","source":"amazon-inspector"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/btd-smart/v/1.0.2"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/btd-smart/v/1.0.3"}],"affected":[{"package":{"name":"btd-smart","ecosystem":"npm","purl":"pkg:npm/btd-smart"},"versions":["1.0.2","1.0.3"],"database_specific":{"cwes":[{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"}],"indicators":{"evidence_files":[{"sha256":"d8bd60b2a63b9ee8f6172c79cb5914498e21607b1d31e38e2f1edade76608e16","path":"index.js","tlsh":"c8125b840bc658e71233a9b84dcf4c05b62a6412322cf944ba6ef4905fd4e2d57faed8"},{"tlsh":"00110329c1734c2706c42a91acae1293be11da174d59bc0ef38e010c8f4ea6f22fd75e","path":"package.json","sha256":"bb473daeb0a8fbc93755f3103833c9864d442829859bb91f6d17551ace145701"}],"package_integrity":[{"hashes":{"sha1":"0318b76aaceeccf56e5a50a946324ca17699ca60","sha512_sri":"sha512-aPBHoL2A7LOh4PGCoVscTDXXXvz+R1mytr+DwBaGLxv+ZBWU9RBqdG4TlXCl1pl2T0XsuiPdKjDOAJ7z5i3rKQ=="},"filename":"btd-smart-1.0.2.tgz"}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/btd-smart/MAL-2026-4501.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}