MAL-2026-10463
Malicious code in node-path-addon (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (5dbc52a88818bccd5602eb556ea4bf089dac66c44a2bb1ecbd6fddd6723e9d1d) node-path-addon presents itself as an extension of the Node.js built-in 'path' module. Its main entry (path.js) delegates by executing require('path-addon-extend') at module load, and package.json declares that dependency at wildcard version '*', so importing node-path-addon unconditionally resolves and executes the latest published version of path-addon-extend — whose contents are controlled by whoever owns that separate npm name. The shim also imports the 'https' module without using it, and the README instructs users to run 'npm install --save path-addon' rather than the actual published name 'node-path-addon', a naming mismatch consistent with typosquat lure behavior. The package itself contains no direct exfiltration or shell execution, but the wildcard-pinned require on import is a loader that grants an external, mutable dependency arbitrary code execution in the consumer's process on every install and require.
Are you affected?
Enter the version of the package you're using.
Affected packages
No fixed version published yet for node-path-addon (npm). Pin to a known-safe version or switch to an alternative.