npm · Malicious package advisory
Malwarebuffer-util-internal
MAL-2026-10151
Malicious code in buffer-util-internal (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (d329e426a3af00dc4cb53c8535a3e53848f09a1b80e561f84f29c77bffe746d7) Package impersonates Feross Aboukhadijeh's widely-used `buffer` package, copying its author, repository, contributors, and description metadata while publishing under the name `buffer-util-internal`. The main module `index.js` contains a top-level IIFE that base64-decodes a hardcoded URL (decoding to https://www.jsonkeeper.com/b/PT0ON), fetches a JSON document from that anonymous paste host, and passes the response's `content` field directly to `eval`. The destination URL is hidden behind a variable named `tokenStringRe` with a misleading `// Random string to generate strong random value` comment, alongside a second base64 string referencing a sibling paste id. Because the fetched content is attacker-mutable, every consumer that requires this package executes whatever JavaScript the paste host serves at that moment — a full remote code execution primitive on the installer at require time. The package also declares unusual dependencies (axios, execp, request) inconsistent with the legitimate `buffer` package.
Compromised versions (2)
- 1.0.13
- 1.0.14
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.