VYPR

npm · Malicious package advisory

Malware

path-addon-extend

MAL-2026-10420

Malicious code in path-addon-extend (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (b383636076e2701a372675c281ee82463d97529ed7d8db027276aa8a8b68b966)
path-addon-extend presents itself as a copy of Node's built-in `path` module. On module load, path.js issues an HTTPS GET to a base64-obscured URL that decodes to https://json.extendsclass.com/bin/567893d4e220 and passes the response's `.content` field directly to `eval()`. The destination is a public JSON-bin service whose contents can be mutated at any time by the publisher (or anyone in possession of the bin token), giving arbitrary remote code execution in any process that requires this package. The endpoint is stored as a base64 literal decoded via `atob(...)` at call time rather than as a plain string, concealing the destination in a package that otherwise mirrors the Node core `path` module.

Compromised versions (3)

  • 1.0.7
  • 1.0.8
  • 1.0.10

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.