OSV Malicious Advisory
scanned 4h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-5460 confirms this npm version as malicious. fhirproxy@90.0.0 is a thin loader package whose only behavior is to pull and execute the dependency `fhirproxy-utils`. package.json declares both `preinstall` and `postinstall` hooks that run `node index.js`, and index.js's only meaningful statement is `require('fhirproxy-utils')`...
Advisory
MAL-2026-5460
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in fhirproxy (npm)
Details
fhirproxy@90.0.0 is a thin loader package whose only behavior is to pull and execute the dependency `fhirproxy-utils`. package.json declares both `preinstall` and `postinstall` hooks that run `node index.js`, and index.js's only meaningful statement is `require('fhirproxy-utils')`. That dependency is fetched from npm at install time and its top-level code runs on the installer's machine during `npm install` without further user interaction. The package additionally claims a `bin` map that aliases the names of widely used developer tools — `webpack`, `webpackcli`, `vite`, `eslint`, `jest`, `tsc`, `tsnode`, `prettier`, `next`, `nodemon`, `turbo` — all pointing at the same `index.js`. Once installed, `node_modules/.bin/<tool>` resolves to this package, so any subsequent invocation of those commands in the project (CI builds, local dev scripts) re-executes index.js and re-loads fhirproxy-utils instead of the genuine tool. The package presents itself as OpenMRS REST tooling (`author: "OpenMRS Community Contributor"`, version 90.0.0, 351-byte stub printing `[+] OpenMRS REST Utilities Subsystem Initialized.`), but real OpenMRS packages are scoped under `@openmrs/*` and published by named maintainers — this is impersonation, not a real OpenMRS project. The combination of impersonation metadata, lifecycle-hook execution of an opaque dependency, and bin-hijacking of common dev tooling forces installer-side execution of attacker-controlled code at install time and on every subsequent invocation of any hijacked tool name.
## Source: ghsa-malware (3e79c782816c05ce4e9ed0422b47d60228b6b1c61c3cf26196177ea0a0c56e00) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
Decision reason
OpenSSF Malicious Packages via OSV confirms fhirproxy@90.0.0 as malicious (MAL-2026-5460): Malicious code in fhirproxy (npm)
References
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 High
HighOsv Malicious Advisory