VDB
KO

MAL-2026-10151

Malicious code in buffer-util-internal (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (d329e426a3af00dc4cb53c8535a3e53848f09a1b80e561f84f29c77bffe746d7) Package impersonates Feross Aboukhadijeh's widely-used `buffer` package, copying its author, repository, contributors, and description metadata while publishing under the name `buffer-util-internal`. The main module `index.js` contains a top-level IIFE that base64-decodes a hardcoded URL (decoding to https://www.jsonkeeper.com/b/PT0ON), fetches a JSON document from that anonymous paste host, and passes the response's `content` field directly to `eval`. The destination URL is hidden behind a variable named `tokenStringRe` with a misleading `// Random string to generate strong random value` comment, alongside a second base64 string referencing a sibling paste id. Because the fetched content is attacker-mutable, every consumer that requires this package executes whatever JavaScript the paste host serves at that moment — a full remote code execution primitive on the installer at require time. The package also declares unusual dependencies (axios, execp, request) inconsistent with the legitimate `buffer` package.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / buffer-util-internal

No fixed version published yet for buffer-util-internal (npm). Pin to a known-safe version or switch to an alternative.

References