{"id":"MAL-2026-6484","summary":"Malicious code in random-string-64 (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (9fea72321e7eb57feb094bc31de2393ec2a56903156e1257a062e40541785b96)\nThe package advertises itself as a 5-line random-string generator, but index.js (the declared main) contains a hardcoded AES-256-CBC ciphertext blob that is decrypted with a sha256-derived key and passed to `globalThis.eval`. The `eval` identifier is hidden by storing the strings ['error','vertex','length','delta','alphabetic'] and reconstructing the function name from the first letter of each entry ('e','v','a','l'). Execution is gated by node-env-detector checks (isCI / isNpmBot / isContainer / isVirtualMachineLikely): on automated/sandboxed hosts the package only logs a benign message, while on real developer workstations the decrypted JavaScript is executed when the exported `getUniqueID(64)` function is called. Any consumer that imports random-string-64 and invokes its documented API on a developer machine runs attacker-controlled code with the privileges of the calling process. The combination of opaque encrypted payload, eval-identifier obfuscation, and explicit anti-analysis gating is unambiguous supply-chain attack shape.\n","modified":"2026-06-25T23:16:23.670366444Z","published":"2026-06-25T22:58:50Z","database_specific":{"malicious-packages-origins":[{"source":"amazon-inspector","modified_time":"2026-06-25T22:58:50Z","import_time":"2026-06-25T23:00:35.049451629Z","versions":["1.0.0"],"id":"IN-MAL-2026-007569","sha256":"356cb4cebd8f7b30b014f32279670aee9beca2a356c7f778c343afb954db764e"},{"source":"amazon-inspector","modified_time":"2026-06-25T22:58:56Z","import_time":"2026-06-25T23:00:35.097102401Z","versions":["1.0.1"],"id":"IN-MAL-2026-007570","sha256":"9fea72321e7eb57feb094bc31de2393ec2a56903156e1257a062e40541785b96"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/random-string-64/v/1.0.0"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/random-string-64/v/1.0.1"}],"affected":[{"package":{"name":"random-string-64","ecosystem":"npm","purl":"pkg:npm/random-string-64"},"versions":["1.0.0","1.0.1"],"database_specific":{"indicators":{"evidence_files":[{"tlsh":"bd51c99a38767504178250ebc6bff80e123aba437844a78077cd66c68fe873895b2079","sha256":"358966aeea50b0195f9c8d14106e12caebf7d2bd44b2fd789c1f5931669481e2","path":"index.js"},{"tlsh":"50e02b3d4e4185ca14b3a28212e793e00c02c0a03ce86aa8af82d4fa42818022838f24","sha256":"2ef681506356ca9514f9613a1b1ac81a4c6c8bc6bb52157cf69ca5e6e4dad5f9","path":"readme.md"}],"package_integrity":[{"hashes":{"sha1":"4c0ad09d47041901cb517c94f45b9ecad967c161","sha512_sri":"sha512-CzW2MdO5wBIOtGjPpOeZHeu5QMdgr31reVsVjkjU+LymD311fCRtx1qusspfGC5+7JlgrbnrbGhbrv7YU329tQ=="},"filename":"random-string-64-1.0.0.tgz"}]},"cwes":[{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/random-string-64/MAL-2026-6484.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}