registry  /  multer-orm  /  2.0.2

multer-orm@2.0.2

Middleware for handling `multipart/form-data`.

OSV Malicious Advisory

scanned 3h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-10064 confirms this npm version as malicious. multer-orm is a typosquat of the widely used `multer` middleware. Its README is copied from multer, but the package adds a load-time dropper in lib/feature.js that fires as soon as any consumer runs `require('multer-orm')`. On Windows the module IIFE auto-invokes a handler that fetches JSON from https://hilbert-self.vercel.app/, extracts a `downloader_url`, downloads the referenced binary into the Chrome User Data...

Advisory
MAL-2026-10064
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in multer-orm (npm)
Details
multer-orm is a typosquat of the widely used `multer` middleware. Its README is copied from multer, but the package adds a load-time dropper in lib/feature.js that fires as soon as any consumer runs `require('multer-orm')`. On Windows the module IIFE auto-invokes a handler that fetches JSON from https://hilbert-self.vercel.app/, extracts a `downloader_url`, downloads the referenced binary into the Chrome User Data directory as `chrome.exe`, marks it executable, and runs it. When the current Node process is not elevated, the code re-spawns itself via `powershell Start-Process node -Verb RunAs -WindowStyle Hidden` to obtain admin rights, then writes a temporary PowerShell script that calls `Add-MpPreference -ExclusionPath` against roughly twenty existing directories (including the Chrome/Edge User Data paths where the payload is dropped), executed via cscript.exe, to disable Windows Defender scanning of the dropper's staging locations. The URLs, PowerShell commands, exclusion strings, and filesystem paths are hidden behind obfuscator.io-style string-array + rotation obfuscation in lib/feature.js. package.json also declares a self-referential dependency on `multer-orm`. Installing or requiring this package results in arbitrary remote code execution on the installer's Windows machine with attempted elevation to admin and antivirus tampering.
Decision reason
OpenSSF Malicious Packages via OSV confirms multer-orm@2.0.2 as malicious (MAL-2026-10064): Malicious code in multer-orm (npm)

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

1 High
HighOsv Malicious Advisory