{"id":"MAL-2026-4734","summary":"Malicious code in xorma-js (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (fd1e155ef0f73465f5fe6f401a4f90c521d5268eb65bb9bc594caa4a69732260)\nOn `require('xorma-js')`, a top-level IIFE in dist/index.js synchronously executes `npm uninstall clsx-js && npm install clsx-js` via `child_process.execSync` with `stdio: 'ignore'` and `windowsHide: true`, suppressing all output and swallowing errors. The same command is stored as `Model.resetor` and runs again on each Model construction. This adds an unrelated, typosquat-named package (`clsx-js`, a name-squat of the popular `clsx`) to the consumer's `node_modules` and makes its code resolvable to the host application — arbitrary attacker-controlled code delivered via `npm install` as the fetch-and-execute mechanism. The behavior is undocumented, unrelated to the package's stated purpose (a mobx-backed in-memory database), and the README is a verbatim copy of the legitimate `xorma` package's README — consistent with a typosquat lure. The payload is present only in the CJS bundle (dist/index.js); the parallel ESM bundle (dist/index.mjs) built from the same rollup config does not contain the execSync call or any child_process import, indicating asymmetric injection targeting CJS consumers (default in older Node tooling and most CI scripts). package.json also declares a bogus dependency on `child_process` (`^1.0.2`), itself a registry-squat of the Node built-in name. Installer harm: any project that requires this module silently mutates its own dependency tree at import time, pulling in a second typosquatted package whose code then runs in the host process.\n","modified":"2026-05-26T06:03:06.209988537Z","published":"2026-05-19T18:48:54Z","database_specific":{"malicious-packages-origins":[{"id":"IN-MAL-2026-003241","import_time":"2026-05-26T05:50:16.485424252Z","modified_time":"2026-05-19T18:48:54Z","versions":["1.0.2"],"source":"amazon-inspector","sha256":"fd1e155ef0f73465f5fe6f401a4f90c521d5268eb65bb9bc594caa4a69732260"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/xorma-js/v/1.0.2"}],"affected":[{"package":{"name":"xorma-js","ecosystem":"npm","purl":"pkg:npm/xorma-js"},"versions":["1.0.2"],"database_specific":{"cwes":[{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/xorma-js/MAL-2026-4734.json","indicators":{"package_integrity":[{"hashes":{"sha512_sri":"sha512-TJs6AU8753HpiN1i2+hTp0cWX+8PLrD4Y73AcTg85tr4+k8b2yqoIgAVbUSbU1jc3DyA6Gkjn9dyJtT7q42MHw==","sha1":"9861d0bc4e6113228b9ceb03c2bb61def5de43b2"},"filename":"xorma-js-1.0.2.tgz"}],"evidence_files":[{"tlsh":"4c42038937fb3930456b30691e4f8107b63a944ba81dee487a9c42d4af4447e52f2bbd","sha256":"6a71df549ac65976f61b19a2327a6031dbc49806e64aaa682c54cadfdac81497","path":"dist/index.js"},{"tlsh":"54014930ca218eb355d825d14cbb15a36e72895b0897fc5833cb870c0a4e66b50fe67c","sha256":"896863ddb85ba789404cbed634a323c5ab40cde987fa0087953597b068c43afd","path":"package.json"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}