OSV Malicious Advisory
scanned 2h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-10405 confirms this npm version as malicious. @torbeck/heap impersonates the legitimate @datastructures-js/heap package: README.md line 1 reads `# @datastructures-js/heap`, package.json sets homepage/repository/bugs to github.com/datastructures-js/heap and author to `Eyas Ranjous <eyas-ranjous@gmail.com>`, while the npm scope `@torbeck` is unrelated. The package re-exports the genuine Heap class so consumers get a working API. Appended to src/heap.js after...
Advisory
MAL-2026-10405
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in @torbeck/heap (npm)
Details
@torbeck/heap impersonates the legitimate @datastructures-js/heap package: README.md line 1 reads `# @datastructures-js/heap`, package.json sets homepage/repository/bugs to github.com/datastructures-js/heap and author to `Eyas Ranjous <eyas-ranjous@gmail.com>`, while the npm scope `@torbeck` is unrelated. The package re-exports the genuine Heap class so consumers get a working API. Appended to src/heap.js after `exports.Heap = Heap;` (around line 247) is a heavily obfuscated obfuscator.io payload (two rotated string-array RC4-style decoders, ~580 and ~700 entries, with Function.toString anti-tamper traps and console-method override checks). On `require('@torbeck/heap')` via the package's index.js main entry, the payload derives an AES key by XORing four hardcoded buffers, decrypts a hidden URL, issues an http/https.request to download a binary into os.tmpdir(), writes a PID lock and.meta.json with a sha256, chmods the file to 0755, and spawns it detached via process.execPath or `bash -c` with stdio:'ignore', windowsHide:true, and unref() — plus a re-exec wrapper that respawns the parent under a sentinel. Platform-specific branches handle win/linux/mac. There is no version pinning or signature check on the downloaded bytes, the URL is concealed by obfuscation, and the dropped binary's purpose is unrelated to a heap data-structure library. This is a typosquat carrying an install/require-time RCE dropper.
Decision reason
OpenSSF Malicious Packages via OSV confirms @torbeck/heap@4.3.11 as malicious (MAL-2026-10405): Malicious code in @torbeck/heap (npm)
References
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 High
HighOsv Malicious Advisory