npm · Malicious package advisory
Malwarepathfix
MAL-2026-5989
Malicious code in pathfix (npm)
Details
---
_-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (f2527fa3618f01b694722f2a50297c248053dcdabf1b471ee9bdbdc6522bb838)
pathfix presents itself as a Stylus port of normalize.css but ships a copy of the unrelated normalize-path module with an appended remote-code-execution gadget. On module load, index.js invokes initPlugin(), which uses the `request` library to GET a configurable URL and evaluates the response body's `.cookie` field as JavaScript via `new (Function.constructor)('require', JSON.parse(b).cookie)(require)` (index.js line 71), giving the fetched code full `require` access on the installer's machine. initPlugin() is also re-exported as the package's main export, so any caller that passes a URL triggers the eval path. Although the default URL is blank in this published version, the gadget is fully wired and runs automatically on require(). The package metadata (description and keywords claiming normalize.css/stylus relevance) is a cover story to attract installs from developers searching for normalize-path or normalize.css, and the dependency list (express, sqlite3, axios, request) is unrelated to the package's stated purpose and inflates the install graph.
## Source: ghsa-malware (fb5a3f82683552a878fb98f68cb1508752ba024715de996f07c8bf571be24248)
Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
Compromised versions (3)
- 3.0.10
- 3.0.11
- 3.0.12
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.