{"id":"MAL-2026-5753","summary":"Malicious code in @gbrlxvi/ts-form-utils (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (20e77262ebb59497687fabfba394959da9ce6afbaf436aa5fcf654b2c8a44a32)\nPackage advertises trivial form-validation helpers (notEmpty/isEmail/isPhone/maxLen/minLen) but on require/import of the main module performs an environment-gated remote-style code execution. index.js checks for AI-agent / sandbox host signals (hostname containing 'devbox' or 'ubuntu-fc-uvm', existence of /app/.git, presence of the JULES_SESSION_ID environment variable used by Google Jules) and, when matched, reads lib/.perf.dat (an 11KB hidden AES-256-CBC encrypted blob), decrypts it with a hardcoded key/IV split across four hex fragments, and executes the cleartext via `new Function(_r)()`. Sensitive Node API names are concatenated to evade static analysis (`require('f'+'s')`, `require('crypt'+'o')`, `createDecipheriv('aes-256-cb'+'c',...)`) and the entire block is wrapped in `try{...}catch(_){}` so failures are silent. A misleading comment (`// Load optional performance telemetry module`) directly above the decrypt-and-exec block provides cover. The combination of hidden encrypted payload, hardcoded key, sandbox-host gating, string-split obfuscation, and silent execution at module load is a deliberate dropper designed to fire inside AI-agent / CI sandboxes while remaining quiet on developer laptops. Any installer that requires this package on a matching host runs attacker-controlled code with the full privileges of the host process.\n","modified":"2026-06-13T22:31:44.926302599Z","published":"2026-06-13T21:38:53Z","database_specific":{"malicious-packages-origins":[{"modified_time":"2026-06-13T21:39:03Z","source":"amazon-inspector","import_time":"2026-06-13T22:27:36.541091647Z","sha256":"020672b183cc7624f9352dcd99d6584755d8aba7c2c3b8ba2c51488db921ac69","versions":["1.9.0"],"id":"IN-MAL-2026-006433"},{"modified_time":"2026-06-13T21:39:05Z","source":"amazon-inspector","import_time":"2026-06-13T22:27:36.694615588Z","sha256":"1e64a8a601d0ea3395020f8e7e6a6e05ca0c0bbc97690ad1f10ecddfea2a0881","versions":["1.0.1"],"id":"IN-MAL-2026-006436"},{"import_time":"2026-06-13T22:27:36.286878384Z","source":"amazon-inspector","modified_time":"2026-06-13T21:39:01Z","versions":["1.4.0"],"sha256":"612a7d24d129dc2a7ef33c1c079e054f495c64e7b45a48d449548b53e86b14f3","id":"IN-MAL-2026-006430"},{"modified_time":"2026-06-13T21:39:03Z","source":"amazon-inspector","import_time":"2026-06-13T22:27:36.581427214Z","versions":["1.0.1"],"sha256":"797e08685dd81cf8f98e89032aa97cb7c73383b41c9fa8054f8c5a143366a00a","id":"IN-MAL-2026-006434"},{"modified_time":"2026-06-13T21:39:06Z","source":"amazon-inspector","import_time":"2026-06-13T22:27:36.788252129Z","sha256":"99f7d879480f11f118972f459c1241dc3ba43af5f4804b2908234db38765e337","versions":["1.3.0"],"id":"IN-MAL-2026-006438"},{"modified_time":"2026-06-13T21:38:55Z","source":"amazon-inspector","import_time":"2026-06-13T22:27:35.731847766Z","versions":["1.6.0"],"sha256":"feae9607963762c439f72fa10db6739490b3547d2ad787884c33d1a1cb4f4278","id":"IN-MAL-2026-006419"},{"modified_time":"2026-06-13T21:38:55Z","source":"amazon-inspector","import_time":"2026-06-13T22:27:35.792606507Z","versions":["1.2.1"],"sha256":"07e94a7b3fb5fa835a6456daa2e996705fc78efcb9f1949433c7dd84a679c96a","id":"IN-MAL-2026-006420"},{"modified_time":"2026-06-13T21:38:54Z","source":"amazon-inspector","import_time":"2026-06-13T22:27:35.648749775Z","versions":["1.0.0"],"sha256":"3aca9046854cfa926ed61680c83ba720f0735b51e28d16db3bfe476d4015fd1d","id":"IN-MAL-2026-006418"},{"modified_time":"2026-06-13T21:39:07Z","source":"amazon-inspector","import_time":"2026-06-13T22:27:36.868206774Z","versions":["1.3.0"],"sha256":"40c6b2e7595f2f399f83210113aad2fe1cf27abad0b19d91f278b596f1141b12","id":"IN-MAL-2026-006439"},{"modified_time":"2026-06-13T21:38:57Z","source":"amazon-inspector","import_time":"2026-06-13T22:27:35.901375284Z","sha256":"6e9ba9e4eaae207ea3e9962b8623ce38b6fdf7e39f12c4562311ca3cc9c8dc72","versions":["1.1.0"],"id":"IN-MAL-2026-006423"},{"modified_time":"2026-06-13T21:39:02Z","source":"amazon-inspector","import_time":"2026-06-13T22:27:36.417595956Z","versions":["1.4.0"],"sha256":"6f1a493f8ae8bef2cdd8afbb113b8e0f0c2bd86f4ef0e7ac7e34bddd23b65f29","id":"IN-MAL-2026-006432"},{"modified_time":"2026-06-13T21:38:53Z","source":"amazon-inspector","import_time":"2026-06-13T22:27:35.437823952Z","versions":["1.0.0"],"sha256":"71d9cedec03f81b8bd1478618d964a8aaa3cd4060c2189de90c64633653f0abf","id":"IN-MAL-2026-006415"},{"modified_time":"2026-06-13T21:38:56Z","source":"amazon-inspector","import_time":"2026-06-13T22:27:35.866968424Z","versions":["2.1.0"],"sha256":"76dbf856004a1077cd98f2e249671d488b49858447c08f83bf8463af791f471c","id":"IN-MAL-2026-006422"},{"modified_time":"2026-06-13T21:39:00Z","source":"amazon-inspector","import_time":"2026-06-13T22:27:36.225666815Z","sha256":"7e846712a26aa26f3405f3073038bc0b0083a339a19cd9e1d006094e475768a4","versions":["1.0.2"],"id":"IN-MAL-2026-006429"},{"modified_time":"2026-06-13T21:39:04Z","source":"amazon-inspector","import_time":"2026-06-13T22:27:36.652820326Z","sha256":"20e77262ebb59497687fabfba394959da9ce6afbaf436aa5fcf654b2c8a44a32","versions":["1.5.0"],"id":"IN-MAL-2026-006435"},{"modified_time":"2026-06-13T21:38:58Z","source":"amazon-inspector","import_time":"2026-06-13T22:27:36.034703248Z","sha256":"40ea39992b18e1c80361e9288e87dad2250cb2c92dfa042116d87b9228c9ce0b","versions":["1.1.0"],"id":"IN-MAL-2026-006425"},{"import_time":"2026-06-13T22:27:36.952297662Z","source":"amazon-inspector","modified_time":"2026-06-13T21:39:07Z","versions":["1.7.0"],"sha256":"68b77f82c4db9fdd54fb212d46c02aee277e47036a925849a25a0b7edb9658bb","id":"IN-MAL-2026-006440"},{"import_time":"2026-06-13T22:27:35.987715479Z","source":"amazon-inspector","modified_time":"2026-06-13T21:38:57Z","versions":["2.1.0"],"sha256":"8243efd91b1e880868a29bdf8ce365aaf44eb4d5d8d67551105e0418862c3fa1","id":"IN-MAL-2026-006424"},{"modified_time":"2026-06-13T21:38:53Z","source":"amazon-inspector","import_time":"2026-06-13T22:27:35.523004069Z","versions":["1.6.0"],"sha256":"ad9403a3859b206bc3ff5a70afc9649e6e026130c79f241208b1c1101b85cfc3","id":"IN-MAL-2026-006416"},{"modified_time":"2026-06-13T21:38:59Z","source":"amazon-inspector","import_time":"2026-06-13T22:27:36.111155327Z","sha256":"c62a5b59d2296c1241ce25b759510f46dc9624e8768134bed2d35841a8b624bc","versions":["2.0.0"],"id":"IN-MAL-2026-006427"},{"modified_time":"2026-06-13T21:39:01Z","source":"amazon-inspector","import_time":"2026-06-13T22:27:36.338822531Z","versions":["1.9.0"],"sha256":"d7f8cb27d87fdbfaa52e6a62a0e0c315c3b80d2a582dbe383d9c8b1b66d774ba","id":"IN-MAL-2026-006431"},{"modified_time":"2026-06-13T21:38:56Z","source":"amazon-inspector","import_time":"2026-06-13T22:27:35.817892842Z","versions":["1.2.1"],"sha256":"f4e6e1f5854ed9e6b2556c791180b5c6818a54d642cace327b29925cae3efe10","id":"IN-MAL-2026-006421"},{"modified_time":"2026-06-13T21:39:00Z","source":"amazon-inspector","import_time":"2026-06-13T22:27:36.147314299Z","sha256":"19fed3d40ad4eeace127713807d02dc10231019dc1c01d1d2bab2bd1ca059a29","versions":["1.0.2"],"id":"IN-MAL-2026-006428"},{"modified_time":"2026-06-13T21:39:08Z","source":"amazon-inspector","import_time":"2026-06-13T22:27:36.988966505Z","versions":["1.7.0"],"sha256":"382d1a2d470f2c29c585259a7043c3bfaf61a8a4d5e8b6d4077d2ad9d1195401","id":"IN-MAL-2026-006441"},{"modified_time":"2026-06-13T21:38:58Z","source":"amazon-inspector","import_time":"2026-06-13T22:27:36.068690377Z","versions":["2.0.0"],"sha256":"da4236ad5bf725cfd50b5da20d0a6a499dbe78fec666f63fd2444e2669d57d40","id":"IN-MAL-2026-006426"},{"modified_time":"2026-06-13T21:39:05Z","source":"amazon-inspector","import_time":"2026-06-13T22:27:36.741688666Z","versions":["1.5.0"],"sha256":"ea64905deb85e1c575b0cc0aa13b908dd0befe94dbc781444826986123f20174","id":"IN-MAL-2026-006437"},{"modified_time":"2026-06-13T21:38:54Z","source":"amazon-inspector","import_time":"2026-06-13T22:27:35.582704355Z","versions":["1.8.0"],"sha256":"ed706d68c22a68cd54df5d0b9c17de5317c1ea8e97dc5e1655768c4fa99bbcea","id":"IN-MAL-2026-006417"},{"import_time":"2026-06-13T22:27:37.036153296Z","source":"amazon-inspector","modified_time":"2026-06-13T21:39:09Z","versions":["1.8.0"],"sha256":"f9bc61771148f9c7f8c14c8faa5bffa2f4b460cc4d1f4b61269c5c1f28c3a0b3","id":"IN-MAL-2026-006442"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/@gbrlxvi/ts-form-utils/v/1.4.0"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@gbrlxvi/ts-form-utils/v/1.0.1"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@gbrlxvi/ts-form-utils/v/1.3.0"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@gbrlxvi/ts-form-utils/v/1.2.1"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@gbrlxvi/ts-form-utils/v/1.1.0"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@gbrlxvi/ts-form-utils/v/1.0.0"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@gbrlxvi/ts-form-utils/v/2.1.0"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@gbrlxvi/ts-form-utils/v/1.5.0"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@gbrlxvi/ts-form-utils/v/1.7.0"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@gbrlxvi/ts-form-utils/v/1.6.0"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@gbrlxvi/ts-form-utils/v/1.9.0"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@gbrlxvi/ts-form-utils/v/1.0.2"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@gbrlxvi/ts-form-utils/v/2.0.0"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@gbrlxvi/ts-form-utils/v/1.8.0"}],"affected":[{"package":{"name":"@gbrlxvi/ts-form-utils","ecosystem":"npm","purl":"pkg:npm/%40gbrlxvi%2Fts-form-utils"},"versions":["1.9.0","1.0.1","1.4.0","1.3.0","1.6.0","1.2.1","1.0.0","1.1.0","2.1.0","1.0.2","1.5.0","1.7.0","2.0.0","1.8.0"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@gbrlxvi/ts-form-utils/MAL-2026-5753.json","indicators":{"package_integrity":[{"filename":"ts-form-utils-1.4.0.tgz","hashes":{"sha1":"f912c681b4b173e6da768937548f8a2b6e2ec4f3","sha512_sri":"sha512-sr3J9MDO4Yf5hPKjDDmaCOMR98TFX43uz/x6EfZOtrjoJD8m1Hd6gbXuP7fEWJrSrHpbejJkgSn0J7Oppb5fLQ=="}}],"ips":["104.16.2.34","10.1.0.2"],"domains":["aaronstack.com"],"evidence_files":[{"path":"index.js","sha256":"37ec77f103e5d14e9c81e1a13f25b7ad7503e641d13608576c16e7de0ca77f47","tlsh":"084130846cfa61b039335092502bc90376f6aa07105ced59b2e9d7922fe4f90866f6fc"}]},"cwes":[{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}