mal-2026-5988
Vulnerability from ossf_malicious_packages
Published
2026-06-17 04:22
Modified
2026-06-18 19:21
Summary
Malicious code in params-valid-js (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (397af72237ba3626ac4727497662530f602c2ce6ec71406f48b508055687366c)

The package presents itself as 'Simplified HTTP request client' and copies identity metadata from Mikeal Rogers' legitimate request package (bugs URL http://github.com/request/request/issues, copied copyright header), but its only effective behavior is to launch a remote-code-execution dropper. The default export in index.js is a middleware function whose sole action is to spawn node lib/callers.js as a detached child with stdio: 'ignore' and child.unref(), allowing the dropper to continue running after the parent exits. lib/callers.js shadows process with a local object (const process = { env: { DEV_API_KEY: 'google.com', DEV_SECRET_KEY: 'x-secret-key', DEV_SECRET_VALUE: '_' } }) so what looks like environment configuration is actually a hardcoded fetch target. The script then performs axios.get(src, { headers: { [k]: v } }), reads response.data.Cookie, passes it to new Function.constructor('require', s), and immediately invokes the resulting function with the real require — executing whatever Node code the server returns with full module access. The combination of name/identity impersonation, detached background execution, environment-shadowing obfuscation, and unpinned remote-eval is a clear supply-chain attack: any consumer that loads this package and invokes the middleware export executes attacker-controlled code.

CWE
  • CWE-506 - The product contains code that appears to be malicious in nature.
  • CWE-506 - The product contains code that appears to be malicious in nature.
Credits
Amazon Inspector inspector-research@amazon.com
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "cwes": [
          {
            "cweId": "CWE-506",
            "description": "The product contains code that appears to be malicious in nature.",
            "name": "Embedded Malicious Code"
          },
          {
            "cweId": "CWE-506",
            "description": "The product contains code that appears to be malicious in nature.",
            "name": "Embedded Malicious Code"
          }
        ],
        "indicators": {
          "evidence_files": [
            {
              "path": "lib/callers.js",
              "sha256": "958ffe8101528203679b0ccfea7dae00f3069f21f87a15d45740bfc183b7a48e",
              "tlsh": "8e01978f70ac545c09b013e6bb2be436f622b56b390281d0375c86421f769a96653eee"
            },
            {
              "path": "index.js",
              "sha256": "356f24fff7af39ef7026879a2c571b3c81ee0ecf880078e24b25be69fe5642d6",
              "tlsh": "87a1648526e373519aebb2d1e81f4229b675d223320e1a7178c587d81f0cc69d3b3dd5"
            },
            {
              "path": "package.json",
              "sha256": "89c833a7fbb54df1f60658a049f6c22b590048263c2ed1a9eedccfe64bc123ac",
              "tlsh": "62415620cc6a8c931dc929e5687d5603b1a0a41b8e41bc1d778a638c4f5e46f32b8f2d"
            }
          ],
          "package_integrity": [
            {
              "filename": "params-valid-js-1.0.0.tgz",
              "hashes": {
                "sha1": "2571d0dfb830c5c57026818751f72ec713a94676",
                "sha512_sri": "sha512-UGgRKNlZk5LB6jl1fVWCjEbEEzudaH300FB8EMzkixbDlrWB1x2paVFQySa8GmEzKGnl713L51IOqE4JedqVcA=="
              }
            }
          ]
        }
      },
      "package": {
        "ecosystem": "npm",
        "name": "params-valid-js"
      },
      "versions": [
        "1.0.0",
        "1.0.3"
      ]
    }
  ],
  "credits": [
    {
      "contact": [
        "inspector-research@amazon.com"
      ],
      "name": "Amazon Inspector",
      "type": "FINDER"
    }
  ],
  "database_specific": {
    "malicious-packages-origins": [
      {
        "id": "IN-MAL-2026-006882",
        "import_time": "2026-06-17T05:45:42.075763795Z",
        "modified_time": "2026-06-17T04:22:54Z",
        "sha256": "4f0f4f5cc684f7bf7b40af2f6856c7d5865f57c7492da68af6c1c194741a4629",
        "source": "amazon-inspector",
        "versions": [
          "1.0.0"
        ]
      },
      {
        "id": "IN-MAL-2026-007028",
        "import_time": "2026-06-18T19:20:03.356634194Z",
        "modified_time": "2026-06-18T19:11:16Z",
        "sha256": "397af72237ba3626ac4727497662530f602c2ce6ec71406f48b508055687366c",
        "source": "amazon-inspector",
        "versions": [
          "1.0.3"
        ]
      }
    ]
  },
  "details": "\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (397af72237ba3626ac4727497662530f602c2ce6ec71406f48b508055687366c)\nThe package presents itself as \u0027Simplified HTTP request client\u0027 and copies identity metadata from Mikeal Rogers\u0027 legitimate `request` package (bugs URL `http://github.com/request/request/issues`, copied copyright header), but its only effective behavior is to launch a remote-code-execution dropper. The default export in `index.js` is a `middleware` function whose sole action is to spawn `node lib/callers.js` as a detached child with `stdio: \u0027ignore\u0027` and `child.unref()`, allowing the dropper to continue running after the parent exits. `lib/callers.js` shadows `process` with a local object (`const process = { env: { DEV_API_KEY: \u0027google.com\u0027, DEV_SECRET_KEY: \u0027x-secret-key\u0027, DEV_SECRET_VALUE: \u0027_\u0027 } }`) so what looks like environment configuration is actually a hardcoded fetch target. The script then performs `axios.get(src, { headers: { [k]: v } })`, reads `response.data.Cookie`, passes it to `new Function.constructor(\u0027require\u0027, s)`, and immediately invokes the resulting function with the real `require` \u2014 executing whatever Node code the server returns with full module access. The combination of name/identity impersonation, detached background execution, environment-shadowing obfuscation, and unpinned remote-eval is a clear supply-chain attack: any consumer that loads this package and invokes the middleware export executes attacker-controlled code.\n",
  "id": "MAL-2026-5988",
  "modified": "2026-06-18T19:21:58Z",
  "published": "2026-06-17T04:22:54Z",
  "references": [
    {
      "type": "PACKAGE",
      "url": "https://www.npmjs.com/package/params-valid-js/v/1.0.0"
    },
    {
      "type": "PACKAGE",
      "url": "https://www.npmjs.com/package/params-valid-js/v/1.0.3"
    }
  ],
  "schema_version": "1.7.4",
  "summary": "Malicious code in params-valid-js (npm)"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.