VYPR

npm · Malicious package advisory

Malware

params-valid-js

MAL-2026-5988

Malicious code in params-valid-js (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (397af72237ba3626ac4727497662530f602c2ce6ec71406f48b508055687366c)
The package presents itself as 'Simplified HTTP request client' and copies identity metadata from Mikeal Rogers' legitimate `request` package (bugs URL `http://github.com/request/request/issues`, copied copyright header), but its only effective behavior is to launch a remote-code-execution dropper. The default export in `index.js` is a `middleware` function whose sole action is to spawn `node lib/callers.js` as a detached child with `stdio: 'ignore'` and `child.unref()`, allowing the dropper to continue running after the parent exits. `lib/callers.js` shadows `process` with a local object (`const process = { env: { DEV_API_KEY: 'google.com', DEV_SECRET_KEY: 'x-secret-key', DEV_SECRET_VALUE: '_' } }`) so what looks like environment configuration is actually a hardcoded fetch target. The script then performs `axios.get(src, { headers: { [k]: v } })`, reads `response.data.Cookie`, passes it to `new Function.constructor('require', s)`, and immediately invokes the resulting function with the real `require` — executing whatever Node code the server returns with full module access. The combination of name/identity impersonation, detached background execution, environment-shadowing obfuscation, and unpinned remote-eval is a clear supply-chain attack: any consumer that loads this package and invokes the middleware export executes attacker-controlled code.

Compromised versions (2)

  • 1.0.0
  • 1.0.3

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.