{"id":"MAL-2026-6441","summary":"Malicious code in unifydata (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (0c62d93328810f03f3aac73777f406eee1b3413e1c3320eb87f3445754dba9d3)\nOn require('unifydata'), index.js calls initPlugin() at module top level, performs an HTTPS GET to https://jsonkeeper.com/b/B40HL, JSON-parses the response, and executes the response's `cookie` field as JavaScript via `new Function.constructor('require', body.cookie)` — then immediately invokes the resulting function with the real `require`, granting it full Node module-loading capability. jsonkeeper.com is an anonymous, author-mutable JSON paste service; the bytes executed in any installer process are whatever the author has posted there at the time of import, with no pinning, hashing, or signature. The package presents itself with a header comment labeling it `normalize-plus (ES6 safe version)` and ships a benign-looking `normalizePath` helper as a decoy, while the published package name is `unifydata` — the mislabeled cover and unused utility code are consistent with a dropper masquerading as a routine helper. Any process that imports this package executes arbitrary attacker-controlled code with the privileges of that process.\n","modified":"2026-06-25T06:31:21.849752454Z","published":"2026-06-25T04:57:45Z","database_specific":{"malicious-packages-origins":[{"modified_time":"2026-06-25T04:57:45Z","source":"amazon-inspector","sha256":"0c62d93328810f03f3aac73777f406eee1b3413e1c3320eb87f3445754dba9d3","versions":["3.6.6"],"id":"IN-MAL-2026-007458","import_time":"2026-06-25T06:26:40.545934216Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/unifydata/v/3.6.6"}],"affected":[{"package":{"name":"unifydata","ecosystem":"npm","purl":"pkg:npm/unifydata"},"versions":["3.6.6"],"database_specific":{"indicators":{"package_integrity":[{"hashes":{"sha512_sri":"sha512-EGhq19bWARdlqOvnSHSiGzOfWJzUn3TNrEIAvEdF7FV+KyZHr6/vQQSfzYRHZ0rCpigiOqfphbXfxQ6M748w4A==","sha1":"a4031cfc2a8916e261b92ad735a6db3c3b5c8866"},"filename":"unifydata-3.6.6.tgz"}],"evidence_files":[{"path":"index.js","sha256":"db06229179a2486e3923de79412d20d9a4815da145684bf15042225eb6789b40","tlsh":"fc41ddda20fa6115c1a3e1810e8fc409b22ae1173359cac5b99c53546fe07a8a7e2f5a"}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/unifydata/MAL-2026-6441.json","cwes":[{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}