MAL-2026-10098
Malicious code in fastify-addone (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (21b9e477cff478ab071039c18c3adb6577a07cc1d82687b9e7d7cd2594dc9ddf) The package presents itself as fastify-plugin (name fastify-addone, repository/homepage/bugs fields point at fastify/fastify-plugin) and copies that project's source with a malicious statement inserted. lib/getPluginName.js contains a top-level statement that base64-decodes a URL via atob, fetches the JSON at https://www.jsonkeeper.com/b/HDXPP, and passes the returned content field to eval. This executes attacker-controlled JavaScript in the caller's process on any require('fastify-addone') (directly or via plugin.js). The destination is an anonymous, mutable third-party JSON-hosting service — not the publisher's infrastructure — and the payload URL is hidden behind base64 to evade casual review.
Are you affected?
Enter the version of the package you're using.
Affected packages
No fixed version published yet for fastify-addone (npm). Pin to a known-safe version or switch to an alternative.