{"id":"MAL-2026-4779","summary":"Malicious code in ether-bn.js (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (4cc5567869e3d616af151887f680ef13bf23f8a19fe5978343254b921c1c7c73)\nPackage name 'ether-bn.js' resembles the widely-used 'bn.js' big-number library, and the README directs users to install yet another name ('buffernumber.js'). The repository and homepage fields point at the legitimate indutny/bn.js project while the author field is unrelated. The shipped lib/bn.js is a near-verbatim copy of upstream bn.js with two non-upstream additions: a top-level `const uniqueString = require('unique-id-64');` (lib/bn.js:38) and a check `if (BN.isBN(number) && uniqueString(64)) { return number; }` inside the BN constructor (lib/bn.js:20). package.json adds `unique-id-64: ^1.0.0` to dependencies. The injected require is unconditionally evaluated when the module is loaded, and `uniqueString(64)` is invoked on every BN clone path, so any consumer that does `new BN(existingBn)` executes the third-party `unique-id-64` package's code. The injected dependency is unpinned (`^1.0.0`) and is not a legitimate transitive of bn.js — it is the payload-delivery vehicle for whatever the third-party package contains now or in the future. Installers expecting bn.js semantics silently take a runtime dependency on attacker-selected code reached through a confusingly-named lookalike package.\n","modified":"2026-05-26T08:01:40.955191090Z","published":"2026-05-26T06:25:09Z","database_specific":{"malicious-packages-origins":[{"id":"IN-MAL-2026-004851","source":"amazon-inspector","sha256":"4cc5567869e3d616af151887f680ef13bf23f8a19fe5978343254b921c1c7c73","modified_time":"2026-05-26T06:25:09Z","versions":["1.4.0"],"import_time":"2026-05-26T06:26:14.140621251Z"},{"id":"IN-MAL-2026-004856","source":"amazon-inspector","sha256":"c00780a3026cf6886eb1c16dbfe7a20d9dea3ac9e12bd2de1a3856249df8d878","versions":["1.4.1"],"modified_time":"2026-05-26T07:09:54Z","import_time":"2026-05-26T07:48:28.324713291Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/ether-bn.js/v/1.4.0"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/ether-bn.js/v/1.4.1"}],"affected":[{"package":{"name":"ether-bn.js","ecosystem":"npm","purl":"pkg:npm/ether-bn.js"},"versions":["1.4.0","1.4.1"],"database_specific":{"cwes":[{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"},{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ether-bn.js/MAL-2026-4779.json","indicators":{"package_integrity":[{"filename":"ether-bn.js-1.4.0.tgz","hashes":{"sha1":"c98f6b5e1991a17a64e421b2cc3e6ab5deeef1d7","sha512_sri":"sha512-s2MbqGoQUt4wUpUMfI/H6wWPXKVVld4nXaqOHjyGvdXkd1AIdNQv1fv7nQAYNzrsoBuTc1SPMIG1QqzURKBmhw=="}}],"evidence_files":[{"sha256":"d6b7f7f510a0574745196d24515cc9f121560cc5755aa1afe1f9283351ba8d8c","path":"lib/bn.js","tlsh":"e8938844abb720599a4b753c4faf60886a74e41b5847dd08bd8ce3e06f5502482fdffa"},{"sha256":"cbbc438fa05f5350c7e7b503b7975447865e03c72373cfb9e272d00d8366486f","path":"package.json","tlsh":"41114c58cc694ca32bd566e5489d600bb671885b4898fc0cb3e7521c4b5f16f11feabc"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}