{"id":"MAL-2026-5730","summary":"Malicious code in class-synth (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (1aa63407d7400b4819d0739dedad0a32d9ae29b18509693c2e8763cf30275271)\nclass-synth is advertised as a small class/style/date utility library, but its main entry (dist/index.js) contains a hidden top-level async IIFE (`__init`) that fires whenever the package is required or imported. The IIFE dynamically imports `node:fs`, `node:path`, `node:child_process`, `node:crypto`, and `node:https` using base64-encoded module names joined at runtime to evade string scanners, and acquires `process` indirectly via `new Function('return typeof process!== \"undefined\"? process: null;')`. It then recursively walks `process.cwd()` looking for any `.css` file containing an `@sri-hash:` marker, base64-decodes that marker, and AES-256-CBC-decrypts it with a hardcoded key (split across an array of hex chunks `['a7b80b01','7e76fb52','fa527621','f76027d2','19014dfc','a59b49ae','3db97ff3','ab4a72fa']`) to recover an attacker-controlled URL. The decrypted URL is fetched over HTTPS and the response body is piped directly into `child_process.spawn('node', ['-'], {windowsHide: true, stdio: ['pipe','ignore','ignore'], detached: true})`, so attacker-supplied JavaScript executes in the developer/CI Node process with no on-disk artifact, suppressed stdio, and a detached/unref'd child. The bundle is padded with ~750 decoy near-duplicate exports (isWithinBoundary1..200, applyPreset1..150, createSequenceStep1..250, mapOperation1..250, checkConstraint1..250) to bury the dropper near the end of the file. The C2 URL is delivered out-of-band via a planted.css file, which defeats URL-based scanning of the package itself. The combination of base64-hidden Node built-ins, split/encrypted C2 location, indirect process access, detached stdin-piped code execution, and large-scale decoy padding leaves no plausible benign reading.\n","modified":"2026-06-13T07:31:42.434881010Z","published":"2026-06-13T07:07:30Z","database_specific":{"malicious-packages-origins":[{"sha256":"1aa63407d7400b4819d0739dedad0a32d9ae29b18509693c2e8763cf30275271","id":"IN-MAL-2026-006325","versions":["1.0.9"],"modified_time":"2026-06-13T07:07:31Z","source":"amazon-inspector","import_time":"2026-06-13T07:25:40.068766092Z"},{"sha256":"cddea7ee0ae2ce582b944e02750fe4ef3628ffb98035f2c09f55add30b22c127","source":"amazon-inspector","versions":["1.0.4"],"modified_time":"2026-06-13T07:07:37Z","id":"IN-MAL-2026-006335","import_time":"2026-06-13T07:25:40.764396146Z"},{"sha256":"d3739061aa7c97593fe816a49960580ab7029e83063d6d64039c1e5a8e8184af","id":"IN-MAL-2026-006324","versions":["1.0.8"],"modified_time":"2026-06-13T07:07:31Z","source":"amazon-inspector","import_time":"2026-06-13T07:25:39.953318306Z"},{"sha256":"3fe05a486e4cce2e9eb36558714ff75d3a7ff7db300c46095087db274451ed7d","source":"amazon-inspector","versions":["1.0.6"],"modified_time":"2026-06-13T07:07:36Z","id":"IN-MAL-2026-006333","import_time":"2026-06-13T07:25:40.63730102Z"},{"sha256":"5208740230d7c6e9e8e5f32d1ebab45afc0154359e84d4942ecdb6e46f0f9288","id":"IN-MAL-2026-006337","versions":["1.0.7"],"modified_time":"2026-06-13T07:07:38Z","source":"amazon-inspector","import_time":"2026-06-13T07:25:40.905934094Z"},{"sha256":"6ea0e042a314a56ca71b97cf1c7a89d077248da659a89d33f4bc8799eda73b06","source":"amazon-inspector","versions":["1.0.4"],"modified_time":"2026-06-13T07:07:42Z","id":"IN-MAL-2026-006338","import_time":"2026-06-13T07:25:40.977438486Z"},{"sha256":"64df17fa107b8703f469a612dfdc6c03dbdea562847569034c97ae29ed4f636e","source":"amazon-inspector","versions":["1.0.7"],"modified_time":"2026-06-13T07:07:33Z","id":"IN-MAL-2026-006328","import_time":"2026-06-13T07:25:40.251900288Z"},{"sha256":"92df67dd5d501d62afce26625625d6b62f34cf568f40ae0d8f0c3bd070cfe7e5","id":"IN-MAL-2026-006336","versions":["1.0.6"],"modified_time":"2026-06-13T07:07:38Z","source":"amazon-inspector","import_time":"2026-06-13T07:25:40.813933517Z"},{"sha256":"211ba697cc519cd1336ef57b17fddf0406cb1f574f96f9bde936b0a49c789aa7","id":"IN-MAL-2026-006332","versions":["1.0.3"],"modified_time":"2026-06-13T07:07:36Z","source":"amazon-inspector","import_time":"2026-06-13T07:25:40.589206816Z"},{"sha256":"d5cff2f39d67bd1b289dd662764985194331c02ac680a57a69df36343fd6cc1a","id":"IN-MAL-2026-006334","versions":["1.0.2"],"modified_time":"2026-06-13T07:07:37Z","source":"amazon-inspector","import_time":"2026-06-13T07:25:40.70724384Z"},{"sha256":"db93faf02c8e1d82ad4e6016c8bdff19e3d6373e2dea7b121f0475783fccbbf8","id":"IN-MAL-2026-006323","versions":["1.0.8"],"modified_time":"2026-06-13T07:07:30Z","source":"amazon-inspector","import_time":"2026-06-13T07:25:39.780773321Z"},{"sha256":"efebe9567f48ade64190acee35e050f62a1c604c4077861d248ed214bf723d02","source":"amazon-inspector","versions":["1.0.5"],"modified_time":"2026-06-13T07:07:34Z","id":"IN-MAL-2026-006329","import_time":"2026-06-13T07:25:40.327793108Z"},{"sha256":"4aba4e1c5927ad7b034a6fefab706397fd40df248bffb3fe43c2f4f3421bd89b","source":"amazon-inspector","versions":["1.0.3"],"modified_time":"2026-06-13T07:07:34Z","id":"IN-MAL-2026-006330","import_time":"2026-06-13T07:25:40.4704675Z"},{"sha256":"60238ce3fd8e5b43c795ab1c8305423e42c8e382d1a20bd470b34525034362de","source":"amazon-inspector","versions":["1.0.9"],"modified_time":"2026-06-13T07:07:33Z","id":"IN-MAL-2026-006327","import_time":"2026-06-13T07:25:40.177746847Z"},{"sha256":"9fabcad393dcfe529708719bf7be0104fe2060900d55055eac9d2e676c1f6a40","source":"amazon-inspector","versions":["1.0.2"],"modified_time":"2026-06-13T07:07:35Z","id":"IN-MAL-2026-006331","import_time":"2026-06-13T07:25:40.535685375Z"},{"sha256":"abb17afb17a74e6749e7e40905ad4963813c98bd5d4badf0a5f42ab44367f7a4","source":"amazon-inspector","versions":["1.0.5"],"modified_time":"2026-06-13T07:07:32Z","id":"IN-MAL-2026-006326","import_time":"2026-06-13T07:25:40.127399945Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/class-synth/v/1.0.9"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/class-synth/v/1.0.4"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/class-synth/v/1.0.6"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/class-synth/v/1.0.7"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/class-synth/v/1.0.8"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/class-synth/v/1.0.3"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/class-synth/v/1.0.2"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/class-synth/v/1.0.5"}],"affected":[{"package":{"name":"class-synth","ecosystem":"npm","purl":"pkg:npm/class-synth"},"versions":["1.0.9","1.0.4","1.0.8","1.0.6","1.0.7","1.0.3","1.0.2","1.0.5"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/class-synth/MAL-2026-5730.json","cwes":[{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."}],"indicators":{"evidence_files":[{"sha256":"324ae51677dd650b05a813f131336730fff47d1e5a0702705890b8b738b29235","tlsh":"dfc300ca72a23132d32b686048bf018bf377dda0177e4481d159a2adb63441ea5b7f7d","path":"dist/index.js"}],"package_integrity":[{"hashes":{"sha512_sri":"sha512-K8FH1SJvAl2DZCpwHRy4+HnBhc64ZfpnUTmMFaWhjaLbemwMsDrW4tn1M+5FI49sL0wVOfMOU312xazzVoXHYg==","sha1":"1a4f8fef7550429fe2b83610f4c9244157275cbc"},"filename":"class-synth-1.0.9.tgz"}],"ips":["104.16.7.34","10.1.0.2"]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}