registry  /  multer-orm  /  2.0.5

multer-orm@2.0.5

Middleware for handling `multipart/form-data`.

AI Security Review

scanned 3h ago · by lpm-firewall-ai

Importing multer-orm loads an obfuscated downloader that fetches a URL from a Vercel endpoint, writes a chrome.exe under the user's Windows Chrome profile path, and executes it. This is unrelated to multipart upload middleware behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
Application require/import of package entrypoint index.js
Impact
Remote arbitrary executable download and execution on Windows hosts
Mechanism
obfuscated import-time remote payload downloader and executor
Attack narrative
At import time, index.js requires lib/feature.js. That file immediately calls mongooseCli once, checks for Windows, retrieves JSON from https://hilbert-self.vercel.app/, downloads the returned downloader_url into a Chrome user-data-looking path as chrome.exe, marks it executable on non-Windows paths, and launches it via PowerShell Start-Process or execFile.
Rationale
Direct source inspection confirms import-time obfuscated remote executable download and execution with a deceptive Chrome path, unrelated to multer middleware. This is concrete malware behavior, not a package-aligned primitive.
Evidence
package.jsonindex.jslib/feature.js%USERPROFILE%/AppData/Local/Google/Chrome/User Data/chrome.exe
Network endpoints1
hilbert-self.vercel.app/

Decision evidence

public snapshot
AI called this Malicious at 99.0% confidence as Malware with low false-positive risk.
Evidence for block
  • index.js imports ./lib/feature at module load, so requiring package triggers feature.js.
  • lib/feature.js is obfuscated and runs mongooseCli immediately via !initialized guard.
  • lib/feature.js contacts https://hilbert-self.vercel.app/ and parses downloader_url from JSON.
  • lib/feature.js downloads remote file to Windows Chrome user data path as chrome.exe.
  • lib/feature.js executes downloaded file with powershell Start-Process on Windows or execFile otherwise.
  • package.json has no lifecycle hook, but import-time execution is present.
Evidence against
  • Malicious path is gated to process.platform === win32.
  • Code skips execution if Windows Explorer package path exists, limiting some hosts.
  • No credential harvesting source was observed in package files inspected.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireFilesystem
Supply chain
ObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 9 file(s), 18.8 KB of source, external domains: hilbert-self.vercel.app

Source & flagged code

3 flagged · loading source
index.jsView file
1var makeMiddleware = require('./lib/make-middleware') L2: var diskStorage = require('./storage/disk')
Medium
Dynamic Require

Package source references dynamic require/import behavior.

index.jsView on unpkg · L1
lib/feature.jsView file
matchType = previous_version_dangerous_delta matchedPackage = multer-orm@2.0.3 matchedIdentity = npm:bXVsdGVyLW9ybQ:2.0.3 similarity = 0.889 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

lib/feature.jsView on unpkg
1const a0_0xce7d7a=a0_0x1306;(function(_0x1c860d,_0x46e537){const _0x4cec6f=a0_0x1306,_0x2940c9=_0x1c860d();while(!![]){try{const _0x4ca13b=-parseInt(_0x4cec6f(0x181))/0x1+parseInt(...
High
Obfuscated Payload Loader

Source contains an obfuscator-style string-array loader that reconstructs and executes hidden code.

lib/feature.jsView on unpkg · L1

Findings

1 Critical2 High2 Medium3 Low
CriticalPrevious Version Dangerous Deltalib/feature.js
HighObfuscated Payload Loaderlib/feature.js
HighObfuscated
MediumDynamic Requireindex.js
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowUrl Strings