MAL-2026-10162
Malicious code in @bcryptln/becryptjs (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (cb86f48a4b796f17dc1017a92153b88afce1f15690687eaa422162d9dd9f347d) Package @bcryptln/becryptjs impersonates the widely-used bcryptjs library (its own metadata still references the upstream dcodeIO/bcrypt.js project). The ESM entrypoint index.js contains a legitimate copy of bcryptjs followed by whitespace padding and an appended obfuscated block that runs unconditionally when a consumer does `import '@bcryptln/becryptjs'`. The trailing code hoists `require`, `module`, `__dirname`, and `__filename` onto globals, then uses two custom positional string-shuffle decoders with hardcoded numeric seeds to derive the identifier `Function`, constructs a runtime function from a decoded string, and invokes it. Because `require` is re-exposed to the constructed function, the payload has full CommonJS reach (fs, child_process, http, net) from within an ESM module. The CommonJS/UMD entrypoint (umd/index.js) is a clean copy of upstream with no payload — the malicious code is placed only on the `import` conditional export, targeting modern ESM consumers while keeping the `require` path benign to defeat diff-against-upstream review. The combination of name impersonation, hidden payload appended after whitespace padding, custom string-shuffle obfuscation whose only purpose is to hide `Function` and the payload body, dynamic code construction with re-exposed CommonJS primitives, and UMD/ESM split are jointly consistent with an intentional supply-chain trojan.
Are you affected?
Enter the version of the package you're using.
Affected packages
No fixed version published yet for @bcryptln/becryptjs (npm). Pin to a known-safe version or switch to an alternative.