{"id":"MAL-2026-4549","summary":"Malicious code in dot-utils-plus (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (3091b9bb8cbf714d9391a59f7303a3748e183bbdf0fba2264b7496a2072e717f)\nOn every import, dist/index.js base64-decodes a hardcoded AES-256-CBC ciphertext, derives a key from environment variable VITE_DOT_UTILS_AES_SECRET, decrypts the result into JavaScript source, wraps it in a Blob/data URL, and dynamically `import()`s it. The decrypted code is opaque to consumers and to static review; whoever holds the AES secret can ship arbitrary JavaScript to every downstream application that loads this library. This is a backdoor/remote-code-execution surface delivered through a library's normal import path. In addition, the same bundle monkey-patches the global `EventTarget.prototype.addEventListener` at import time. For every `click` listener registered after the patch, on dates after 2026-06-10 and when running outside development, the wrapper has a 5% chance of busy-waiting 5000ms on the main thread — a date-gated logic bomb that silently degrades any web app loading the package. None of this behavior is documented in the README or the declared API, and `package.json` carries placeholder author metadata (`\"Your Name\"`) with a self-described \"encrypted distribution build\" as the only shipped artifact.\n","modified":"2026-05-26T06:02:29.699443854Z","published":"2026-05-21T02:37:52Z","database_specific":{"malicious-packages-origins":[{"source":"amazon-inspector","sha256":"3091b9bb8cbf714d9391a59f7303a3748e183bbdf0fba2264b7496a2072e717f","modified_time":"2026-05-25T07:28:47Z","versions":["0.1.9"],"id":"IN-MAL-2026-004594","import_time":"2026-05-26T05:52:54.546550366Z"},{"sha256":"3b3ec7da6f9bf18e682d16157ad4f267a8eac8c4fffb0830c82cf81d967cb548","modified_time":"2026-05-21T02:37:52Z","import_time":"2026-05-26T05:51:08.610127186Z","versions":["0.1.5"],"id":"IN-MAL-2026-003703","source":"amazon-inspector"},{"source":"amazon-inspector","sha256":"8e1d253016bde040bfaef95130c59591f1715fc56eaad47d0dd27ab27c410379","modified_time":"2026-05-21T05:39:56Z","versions":["0.1.8"],"id":"IN-MAL-2026-003744","import_time":"2026-05-26T05:51:13.964617422Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/dot-utils-plus/v/0.1.9"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/dot-utils-plus/v/0.1.5"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/dot-utils-plus/v/0.1.8"}],"affected":[{"package":{"name":"dot-utils-plus","ecosystem":"npm","purl":"pkg:npm/dot-utils-plus"},"versions":["0.1.9","0.1.5","0.1.8"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/dot-utils-plus/MAL-2026-4549.json","indicators":{"package_integrity":[{"hashes":{"sha512_sri":"sha512-P8KJaKt27lChzGcaCEnCVccogrOkj+ebONs35Xxh8DWMUq53EUociJXAijscdAZMrCznLxP9L5KX4PlYd+RJBQ==","sha1":"4e23555ce80fe605583d8e425c0184395e5a19ca"},"filename":"dot-utils-plus-0.1.9.tgz"}],"evidence_files":[{"sha256":"0775cb3a1c0816fdc1bb907679780e8572e9c74b98b7e7f24d47f82ad64e782c","path":"dist/index.js","tlsh":"c8d173443db224628266a0f7663fe0557570c663364cce94b7dca2a05fb543ccbe32da"},{"sha256":"e2c6498fd641993b7f1553de5cc25abac8b0765d8e4191aa0095d38d2675a52c","path":"package.json","tlsh":"5f115933c9949d2302f8d6a1ad759706f6710b1f01604d0730fa012c4b752ab446efae"}]},"cwes":[{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"},{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"},{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}