{"id":"MAL-2026-6510","summary":"Malicious code in @merceas/cross-fetch (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (5f6307129b7d9edcbd76ffc93c9d8a6ae146332951d5ce90e659afe1eec01127)\nPackage is published under the @merceas scope as `cross-fetch` and reuses the upstream cross-fetch README, homepage (github.com/lquixada/cross-fetch), and author metadata to impersonate the legitimate `cross-fetch` package. The package `main`, dist/node-ponyfill.js, contains decoy ponyfill code followed by two obfuscator.io-packed IIFEs that run when the module is `require()`d. The IIFEs dynamically import fs/os/path/https/http/crypto/url/child_process, AES-256-decrypt a URL constructed at runtime from four 32-byte hex Buffers, HTTPS-GET the payload (handling 301/302/303/307/308 redirects with exponential-backoff retries), write it under `os.tmpdir()/\u003cname\u003e-\u003cpid\u003e/`, chmod the file to 0755 (`chmodSync(file, 0o1ed)`), then execute it via `bash -c \u003cfile\u003e` and additionally spawn a detached, `unref()`'d child with `stdio:'ignore'` and `windowsHide:true` for self-respawn / persistence. Obfuscation uses a string-array with numeric-IIFE shift, RC4-keyed base64 lookup, and an anti-tamper RegExp debugger self-test to hide the URL and command strings from static inspection. Importing this package — directly or as a transitive — executes attacker-controlled bytes on the installer's machine in any environment that loads the module (CI, build, production, developer workstation).\n","modified":"2026-06-26T06:46:30.006184774Z","published":"2026-06-26T05:51:44Z","database_specific":{"malicious-packages-origins":[{"modified_time":"2026-06-26T05:51:44Z","sha256":"5f6307129b7d9edcbd76ffc93c9d8a6ae146332951d5ce90e659afe1eec01127","id":"IN-MAL-2026-007598","import_time":"2026-06-26T06:28:53.100203378Z","source":"amazon-inspector","versions":["3.1.12"]}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/@merceas/cross-fetch/v/3.1.12"}],"affected":[{"package":{"name":"@merceas/cross-fetch","ecosystem":"npm","purl":"pkg:npm/%40merceas%2Fcross-fetch"},"versions":["3.1.12"],"database_specific":{"cwes":[{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@merceas/cross-fetch/MAL-2026-6510.json","indicators":{"evidence_files":[{"sha256":"acbdb415bc5877768dfb63d6444050ce4f2cfa136902b1ff1d87f01e38657553","path":"package.json","tlsh":"1a513f21c96c4ca309e560a4557e528371248a878ea07c1d33df422d8f1e6ef30bdeae"},{"sha256":"62a7c6e9fcd26c6a108978a0039d466d0b5c0761093bf60efa4c96e4bd1b1e57","path":"dist/node-ponyfill.js","tlsh":"ed93f9857dea307f535290b3212f6292e52ddc5d6348c418e461dcedbf6422ce27eaac"}],"package_integrity":[{"hashes":{"sha1":"c551eeb1e01d4a5c1bd84fa777ff1fb4a42ad79e","sha512_sri":"sha512-g9OiIa1Tyf1RS6I6igC7JFOSenkMR3APZt3yGWFmxIpK2UDUwiehe9vOmG/n4h6DBn69rtR4ERAaIynUnNbgPA=="},"filename":"cross-fetch-3.1.12.tgz"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}