{"id":"MAL-2026-5633","summary":"Malicious code in typeorm-encrypt (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (a56a819a1e640411db5e485054b23282d0d04f847270ea17c605cbfa6e6ab5ac)\nThe published tarball contains lib/lib.min.js, a heavily obfuscated file that stashes Node intrinsics on globals (`global['r']=require; global['m']=module;`) before invoking a Function-constructor eval'd payload. This is the canonical dropper shape: code that needs `require` access but is structured to evade casual review through a permutation-decoder + Function-eval pipeline. The file is not referenced from lib/index.js (the package main) or any other clean module in the package, whose stated purpose is a small TypeORM transformer for encrypted columns (lib/crypto.js, lib/entity.js, lib/transformer.js show that purpose in clear source). Shipping an obfuscated payload that has no role in the advertised functionality, and that is wired to access Node's require/module via globals when invoked, is unjustified for a column-encryption transformer. Corroborating signal: package.json declares an empty author name with a lookalike email domain (`gennagykoroke@vich.com`) and no `repository` or `homepage` fields — typical placeholder maintainer metadata. While the obfuscated file is dormant on a default `require('typeorm-encrypt')` (it is not on the load graph from main), its presence in the tarball means any path that loads it — a future patch flipping main, a sibling package requiring `typeorm-encrypt/lib/lib.min.js` directly, or runtime code in other distribution paths — executes attacker-controlled obfuscated code with full Node intrinsics access. The combination of obfuscation, require-stashing prologue, purpose mismatch, and placeholder maintainer identity is consistent with smuggled malicious code.\n\n## Source: ghsa-malware (dc67e2dca7bff2668f3bf2504574289c8ed5d5bbda1e2f52636df55205076d0d)\nAny computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.\n","aliases":["GHSA-f7h6-4xj8-8qh7"],"modified":"2026-06-12T20:01:57.811137369Z","published":"2026-06-11T09:35:12Z","database_specific":{"malicious-packages-origins":[{"source":"ghsa-malware","id":"GHSA-f7h6-4xj8-8qh7","ranges":[{"type":"SEMVER","events":[{"introduced":"0"}]}],"sha256":"dc67e2dca7bff2668f3bf2504574289c8ed5d5bbda1e2f52636df55205076d0d","import_time":"2026-06-11T09:45:30.613549779Z","modified_time":"2026-06-11T09:35:18Z"},{"source":"amazon-inspector","modified_time":"2026-06-12T19:02:03Z","sha256":"20406ffcfde6d90076be56c9440857b5fe2f5bff8d4f7d54def2f8d4f6e9d5db","id":"IN-MAL-2026-005795","import_time":"2026-06-12T19:43:34.333076771Z","versions":["1.0.1"]},{"source":"amazon-inspector","id":"IN-MAL-2026-005796","sha256":"a56a819a1e640411db5e485054b23282d0d04f847270ea17c605cbfa6e6ab5ac","modified_time":"2026-06-12T19:02:04Z","import_time":"2026-06-12T19:43:34.440606445Z","versions":["1.0.2"]}]},"references":[{"type":"ADVISORY","url":"https://github.com/advisories/GHSA-f7h6-4xj8-8qh7"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/typeorm-encrypt/v/1.0.1"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/typeorm-encrypt/v/1.0.2"}],"affected":[{"package":{"name":"typeorm-encrypt","ecosystem":"npm","purl":"pkg:npm/typeorm-encrypt"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"}]}],"versions":["1.0.1","1.0.2"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/typeorm-encrypt/MAL-2026-5633.json","cwes":[{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"},{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"},{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"}],"indicators":{"evidence_files":[{"sha256":"cc074a2f99e5bdfa7acde7d9dd6620771a3d6c9a71e023e50c1853df8681a43d","tlsh":"d4816ec87548fdc979c042b181cb919f2c6507e2987fb1c4888f86ea55422465eb9eff","path":"lib/lib.min.js"},{"sha256":"61de2a0fdb31eca99c6a6e22aef56df1e2aa663ef8f6e5f2b63c61037973fbf6","tlsh":"49110858dc7dce6326c591a06cb58283e131495b4da4fc0c3792463e8f9d5af60bc7ae","path":"package.json"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}