npm · Malicious package advisory
Malwarereq-parmas-valid
MAL-2026-5991
Malicious code in req-parmas-valid (npm)
Details
---
_-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (063b7e2667c434784d0b5d2ce333ea700fbc17571da3f5f4fc7d0f03ac406bd0)
Package name `req-parmas-valid` impersonates the well-known `request` HTTP client (description copied verbatim as 'Simplified HTTP request client.', `bugs.url` points at `github.com/request/request/issues`, README and most source copied from upstream). Bolted onto the copied source is a malicious `middleware` export (also exposed as `reqValidator` and the package's default export) which spawns a detached `node lib/callers.js` child process. `lib/callers.js` performs an HTTPS GET to `https://www.jsonkeeper.com/b/DDC6J` (an anonymous, mutable paste host), reads the `Cookie` field of the JSON response, and evaluates it via `new Function.constructor("require", s)(require)` — handing the fetched bytes full Node `require` capability with no integrity check, no pinning, and a payload host completely alien to the package's advertised purpose. Any consumer that imports and uses the middleware (the obvious Express-style API shape) executes arbitrary remote code controlled by whoever currently owns the paste.
Compromised versions (1)
- 1.0.2
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.