VDB
KO

MAL-2026-5460

Malicious code in fhirproxy (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (96e092973bad8e995bdec34000e45943e0be59996e84f181ee4bee9cd423f8eb) fhirproxy@90.0.0 is a thin loader package whose only behavior is to pull and execute the dependency `fhirproxy-utils`. package.json declares both `preinstall` and `postinstall` hooks that run `node index.js`, and index.js's only meaningful statement is `require('fhirproxy-utils')`. That dependency is fetched from npm at install time and its top-level code runs on the installer's machine during `npm install` without further user interaction. The package additionally claims a `bin` map that aliases the names of widely used developer tools — `webpack`, `webpackcli`, `vite`, `eslint`, `jest`, `tsc`, `tsnode`, `prettier`, `next`, `nodemon`, `turbo` — all pointing at the same `index.js`. Once installed, `node_modules/.bin/<tool>` resolves to this package, so any subsequent invocation of those commands in the project (CI builds, local dev scripts) re-executes index.js and re-loads fhirproxy-utils instead of the genuine tool. The package presents itself as OpenMRS REST tooling (`author: "OpenMRS Community Contributor"`, version 90.0.0, 351-byte stub printing `[+] OpenMRS REST Utilities Subsystem Initialized.`), but real OpenMRS packages are scoped under `@openmrs/*` and published by named maintainers — this is impersonation, not a real OpenMRS project. The combination of impersonation metadata, lifecycle-hook execution of an opaque dependency, and bin-hijacking of common dev tooling forces installer-side execution of attacker-controlled code at install time and on every subsequent invocation of any hijacked tool name.

## Source: ghsa-malware (3e79c782816c05ce4e9ed0422b47d60228b6b1c61c3cf26196177ea0a0c56e00) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / fhirproxy
Introduced in: 0

No fixed version published yet for fhirproxy (npm). Pin to a known-safe version or switch to an alternative.

References