{"id":"MAL-2026-4610","summary":"Malicious code in midcorp (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (bc6725ed066ed5aff9452bd82d278fd89c1548768124d8b89cb8e5a5e8c3b05a)\nThe package masquerades as a pino-compatible logger (package.json keywords `fast`/`logger`/`stream`/`json`, exports `module.exports.pino = middleware`, lib filenames `proto.js`, `redaction.js`, `multistream.js`, `transport.js`, `worker.js` mirror pino's layout), but its actual runtime behavior is a remote-code-execution dropper. When a consumer requires midcorp and invokes the exported `middleware()` from `index.js`, a detached/unref'd child process spawns `lib/caller.js`, which performs `axios.get` against `https://jsonkeeper.com/b/XRGF3` (an anonymous, mutable paste-bin host) and passes the returned `data.cookie` field to `new Function.constructor('require', s)(require)` — handing attacker-controlled JavaScript full Node.js `require` capabilities. The C2 URL is obfuscated as a base64 string disguised as a fake `process.env.DEV_API_KEY` default in `lib/caller.js` / `lib/const.js` (`aHR0cHM6Ly9qc29ua2VlcGVyLmNvbS9iL1hSR0Yz` → `https://jsonkeeper.com/b/XRGF3`), with a backup paste ID (`4NAKK`). The description field is unrelated boilerplate about vulnerability management. Three independent block signals (remote-eval of paste-bin content, pino impersonation cover, base64-hidden C2) leave no benign interpretation.\n","modified":"2026-05-26T06:02:41.532964683Z","published":"2026-05-22T15:22:57Z","database_specific":{"malicious-packages-origins":[{"import_time":"2026-05-26T05:52:11.273071919Z","id":"IN-MAL-2026-004224","modified_time":"2026-05-22T15:22:57Z","versions":["1.1.9"],"sha256":"bc6725ed066ed5aff9452bd82d278fd89c1548768124d8b89cb8e5a5e8c3b05a","source":"amazon-inspector"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/midcorp/v/1.1.9"}],"affected":[{"package":{"name":"midcorp","ecosystem":"npm","purl":"pkg:npm/midcorp"},"versions":["1.1.9"],"database_specific":{"cwes":[{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"}],"indicators":{"evidence_files":[{"tlsh":"f8017b8a30fa605c015510f64b1fa4327011e4273c49e5c5378c87524fea9ae6963aed","path":"lib/caller.js","sha256":"d81e48769a830cd3384a4b8977ade12e5ab7583eb7cca84e7ab966d15871bd71"},{"sha256":"2956b023858d706a5e241cd28b845088e5f414c5f70bd5d8cb73cb427d081065","path":"index.js","tlsh":"5d213c81b9f11188065cd9c8b569e53a38e3c4377207b9b0e9ec87862bcf2080272ad7"}],"package_integrity":[{"hashes":{"sha1":"fe92fc7ad4d8e033fb58dc29762bcfa4eb8fd72d","sha512_sri":"sha512-5QiR7iEkt0yzDMMMx591lVc9sNaSM7y27zFw8D7PAxz93d6YQGTg24uQ+nhDgo1TZRUrwpfZPX4UDz6IJm5EQw=="},"filename":"midcorp-1.1.9.tgz"}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/midcorp/MAL-2026-4610.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}