VDB
KO

MAL-2026-10639

Malicious code in ogensec-sdk (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (4acb9448e8289c41cb35a883074545d2a790b719104b2f7c9a99bfca3e3f64ff) The package ships an Express middleware that, on each incoming request, POSTs {appId, endpoint} to a configured `${baseUrl}` and interprets the response as a list of items containing a `hotfix.code` string. That string is wrapped as `return (async ()=>{ <code> })();` and passed to `Object.getPrototypeOf(async function(){}).constructor` (AsyncFunction) with `require, req, res` parameters, then awaited. Any JavaScript returned by the configured server therefore runs inside the installer's Node process with full `require` access and access to the live request/response objects on every HTTP request served through the middleware. The feature is marketed only as 'Dynamic security hotfixes' and is not documented as arbitrary remote code execution. The entire shipped `dist/` tree (index.js, bridge.js, client.js) is processed by javascript-obfuscator (rotated base64 string arrays, hex-named identifiers) as declared by the `obfuscate`/`prepublishOnly` scripts in package.json, and no source is published — concealing the remote-code-execution mechanism from developers reviewing the SDK. Any compromise, takeover, or on-path MITM of the configured backend converts every deployment using this middleware into a live RCE on production traffic; the maintainer of the backend also holds a persistent, undisclosed remote-execution channel into every installer.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / ogensec-sdk

No fixed version published yet for ogensec-sdk (npm). Pin to a known-safe version or switch to an alternative.

References