OSV Malicious Advisory
scanned 2h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-10162 confirms this npm version as malicious. Package @bcryptln/becryptjs impersonates the widely-used bcryptjs library (its own metadata still references the upstream dcodeIO/bcrypt.js project). The ESM entrypoint index.js contains a legitimate copy of bcryptjs followed by whitespace padding and an appended obfuscated block that runs unconditionally when a consumer does `import '@bcryptln/becryptjs'`...
Advisory
MAL-2026-10162
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in @bcryptln/becryptjs (npm)
Details
Package @bcryptln/becryptjs impersonates the widely-used bcryptjs library (its own metadata still references the upstream dcodeIO/bcrypt.js project). The ESM entrypoint index.js contains a legitimate copy of bcryptjs followed by whitespace padding and an appended obfuscated block that runs unconditionally when a consumer does `import '@bcryptln/becryptjs'`. The trailing code hoists `require`, `module`, `__dirname`, and `__filename` onto globals, then uses two custom positional string-shuffle decoders with hardcoded numeric seeds to derive the identifier `Function`, constructs a runtime function from a decoded string, and invokes it. Because `require` is re-exposed to the constructed function, the payload has full CommonJS reach (fs, child_process, http, net) from within an ESM module. The CommonJS/UMD entrypoint (umd/index.js) is a clean copy of upstream with no payload — the malicious code is placed only on the `import` conditional export, targeting modern ESM consumers while keeping the `require` path benign to defeat diff-against-upstream review. The combination of name impersonation, hidden payload appended after whitespace padding, custom string-shuffle obfuscation whose only purpose is to hide `Function` and the payload body, dynamic code construction with re-exposed CommonJS primitives, and UMD/ESM split are jointly consistent with an intentional supply-chain trojan.
Decision reason
OpenSSF Malicious Packages via OSV confirms @bcryptln/becryptjs@3.0.11 as malicious (MAL-2026-10162): Malicious code in @bcryptln/becryptjs (npm)
References
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 High
HighOsv Malicious Advisory