npm · Malicious package advisory
Malwarerandom-string-64
MAL-2026-6484
Malicious code in random-string-64 (npm)
Details
---
_-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (9fea72321e7eb57feb094bc31de2393ec2a56903156e1257a062e40541785b96)
The package advertises itself as a 5-line random-string generator, but index.js (the declared main) contains a hardcoded AES-256-CBC ciphertext blob that is decrypted with a sha256-derived key and passed to `globalThis.eval`. The `eval` identifier is hidden by storing the strings ['error','vertex','length','delta','alphabetic'] and reconstructing the function name from the first letter of each entry ('e','v','a','l'). Execution is gated by node-env-detector checks (isCI / isNpmBot / isContainer / isVirtualMachineLikely): on automated/sandboxed hosts the package only logs a benign message, while on real developer workstations the decrypted JavaScript is executed when the exported `getUniqueID(64)` function is called. Any consumer that imports random-string-64 and invokes its documented API on a developer machine runs attacker-controlled code with the privileges of the calling process. The combination of opaque encrypted payload, eval-identifier obfuscation, and explicit anti-analysis gating is unambiguous supply-chain attack shape.
## Source: ghsa-malware (51d41457185b1763aa15a707ff9249bd86b4cea4b69ef2cc9a75e2755f4d2ad8)
Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
Compromised versions (2)
- 1.0.0
- 1.0.1
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.