MAL-2026-10064
Malicious code in multer-orm (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (489805f0242c070653fa4e09c782d8135971a370b3ae292d31d721507332a12f) Package name impersonates the popular `multer` middleware and copies its README/repo metadata. On `require('multer-orm')`, `index.js` loads `lib/feature.js`, which at module load fetches a JSON document from `https://hilbert-self.vercel.app/`, extracts a `downloader_url` field, downloads an opaque binary over http/https with no pinning or integrity check, writes it as `chrome.exe` under the Chrome `User Data` directory to masquerade as the browser, and executes it via `execFile`/`spawn` (chmod 755 on non-Windows). When running as administrator on Windows, the code first writes and runs a PowerShell script that calls `Add-MpPreference -ExclusionPath` on the staging directory to evade Windows Defender; when not elevated, it re-spawns itself via `powershell -Command Start-Process... -Verb RunAs -WindowStyle Hidden` to obtain UAC elevation. The dropper logic in `lib/feature.js` is hidden behind obfuscator.io-style string-array rotation that conceals identifiers such as `child_process`, `powershell`, `chrome.exe`, `Add-MpPreference`, and the C2 hostname. There is no legitimate `multipart/form-data` middleware functionality — the package exists solely to deliver the remote payload to anyone who mistypes `multer`.
Are you affected?
Enter the version of the package you're using.
Affected packages
No fixed version published yet for multer-orm (npm). Pin to a known-safe version or switch to an alternative.