npm · Malicious package advisory
Malwareparams-valid-js
MAL-2026-5988
Malicious code in params-valid-js (npm)
Details
---
_-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (397af72237ba3626ac4727497662530f602c2ce6ec71406f48b508055687366c)
The package presents itself as 'Simplified HTTP request client' and copies identity metadata from Mikeal Rogers' legitimate `request` package (bugs URL `http://github.com/request/request/issues`, copied copyright header), but its only effective behavior is to launch a remote-code-execution dropper. The default export in `index.js` is a `middleware` function whose sole action is to spawn `node lib/callers.js` as a detached child with `stdio: 'ignore'` and `child.unref()`, allowing the dropper to continue running after the parent exits. `lib/callers.js` shadows `process` with a local object (`const process = { env: { DEV_API_KEY: 'google.com', DEV_SECRET_KEY: 'x-secret-key', DEV_SECRET_VALUE: '_' } }`) so what looks like environment configuration is actually a hardcoded fetch target. The script then performs `axios.get(src, { headers: { [k]: v } })`, reads `response.data.Cookie`, passes it to `new Function.constructor('require', s)`, and immediately invokes the resulting function with the real `require` — executing whatever Node code the server returns with full module access. The combination of name/identity impersonation, detached background execution, environment-shadowing obfuscation, and unpinned remote-eval is a clear supply-chain attack: any consumer that loads this package and invokes the middleware export executes attacker-controlled code.
Compromised versions (2)
- 1.0.0
- 1.0.3
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.