{"id":"MAL-2026-5985","summary":"Malicious code in node-path-utils (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (180db640dc8207694eb4629834f74b740d7efc9febf26067d190e10656fe04e9)\nPackage name `node-path-utils` and its README/description claim it is 'an exact copy of the NodeJS path module', impersonating the Node.js core `path` standard library to lure developers into installing it. On `require()` of the main entry (`path.js`), a top-level IIFE invokes `loadTokenData()`, which decodes a base64-encoded URL (`aHR0cHM6Ly93d3cuanNvbmtlZXBlci5jb20vYi9QMENORA==` → `https://www.jsonkeeper.com/b/P0CND`), `fetch()`es it, and passes the response JSON's `content` field directly to `eval()`. jsonkeeper.com is a free, mutable JSON-paste service: whoever controls the paste can swap the served code at any time, executing arbitrary attacker-controlled JavaScript in the consumer's Node process on every import. Additionally, `path.js` does `require('mddriver')` at module top with `mddriver: \"*\"` in dependencies — an unused, unpinned third-party package pulled into the installer's process at import, providing a second smuggling vector for attacker code via the transitive dependency. The combination of stdlib impersonation, base64-obfuscated remote fetch, eval of mutable paste-host content, and an unused wildcard-pinned sidecar dep is an unambiguous remote-code-execution dropper.\n","modified":"2026-06-17T06:02:04.405007554Z","published":"2026-06-17T04:20:30Z","database_specific":{"malicious-packages-origins":[{"sha256":"180db640dc8207694eb4629834f74b740d7efc9febf26067d190e10656fe04e9","modified_time":"2026-06-17T04:20:30Z","source":"amazon-inspector","id":"IN-MAL-2026-006880","import_time":"2026-06-17T05:45:41.991284706Z","versions":["1.23.2"]}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/node-path-utils/v/1.23.2"}],"affected":[{"package":{"name":"node-path-utils","ecosystem":"npm","purl":"pkg:npm/node-path-utils"},"versions":["1.23.2"],"database_specific":{"cwes":[{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/node-path-utils/MAL-2026-5985.json","indicators":{"evidence_files":[{"path":"path.js","sha256":"275628b95a69767953c674b4367b8547265c39c1d40d460e9d29e80685999a3c","tlsh":"48828444594661599a3777b0df0a340ef77684f34215ab00f89cea502f72e78a2feed8"},{"path":"package.json","sha256":"f41e67088d05fb2b7f35cbad49a766d326dced0605a7186eaf39aa8cdc057873","tlsh":"e7e0ab109f51ad3312ea136a9d2c40577360cecf0514bc0023ca0aac968e4bba6f228c"}],"package_integrity":[{"hashes":{"sha1":"a748e95bcb154a75df422d85ea4a4013d6d0d4d8","sha512_sri":"sha512-iU+w0cRqYcmoH8ZnqMJkSHliff9zYoOMMtisJMFRsNTvYHqcUFINWMoCSazSWv607G4OS8glwITFyIkFuAJEFg=="},"filename":"node-path-utils-1.23.2.tgz"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}