VYPR

npm · Malicious package advisory

Malware

node-path-addon

MAL-2026-10463

Malicious code in node-path-addon (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (5dbc52a88818bccd5602eb556ea4bf089dac66c44a2bb1ecbd6fddd6723e9d1d)
node-path-addon presents itself as an extension of the Node.js built-in 'path' module. Its main entry (path.js) delegates by executing require('path-addon-extend') at module load, and package.json declares that dependency at wildcard version '*', so importing node-path-addon unconditionally resolves and executes the latest published version of path-addon-extend — whose contents are controlled by whoever owns that separate npm name. The shim also imports the 'https' module without using it, and the README instructs users to run 'npm install --save path-addon' rather than the actual published name 'node-path-addon', a naming mismatch consistent with typosquat lure behavior. The package itself contains no direct exfiltration or shell execution, but the wildcard-pinned require on import is a loader that grants an external, mutable dependency arbitrary code execution in the consumer's process on every install and require.

Compromised versions (1)

  • 1.0.8

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.