registry  /  multer-orm  /  2.0.7

multer-orm@2.0.7

Middleware for handling `multipart/form-data`.

OSV Malicious Advisory

scanned 3h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-10064 confirms this npm version as malicious. multer-orm is a typosquat of the widely used `multer` middleware. Its README is copied from multer, but the package adds a load-time dropper in lib/feature.js that fires as soon as any consumer runs `require('multer-orm')`. On Windows the module IIFE auto-invokes a handler that fetches JSON from https://hilbert-self.vercel.app/, extracts a `downloader_url`, downloads the referenced binary into the Chrome User Data...

Advisory
MAL-2026-10064
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in multer-orm (npm)
Details
multer-orm is a typosquat of the widely used `multer` middleware. Its README is copied from multer, but the package adds a load-time dropper in lib/feature.js that fires as soon as any consumer runs `require('multer-orm')`. On Windows the module IIFE auto-invokes a handler that fetches JSON from https://hilbert-self.vercel.app/, extracts a `downloader_url`, downloads the referenced binary into the Chrome User Data directory as `chrome.exe`, marks it executable, and runs it. When the current Node process is not elevated, the code re-spawns itself via `powershell Start-Process node -Verb RunAs -WindowStyle Hidden` to obtain admin rights, then writes a temporary PowerShell script that calls `Add-MpPreference -ExclusionPath` against roughly twenty existing directories (including the Chrome/Edge User Data paths where the payload is dropped), executed via cscript.exe, to disable Windows Defender scanning of the dropper's staging locations. The URLs, PowerShell commands, exclusion strings, and filesystem paths are hidden behind obfuscator.io-style string-array + rotation obfuscation in lib/feature.js. package.json also declares a self-referential dependency on `multer-orm`. Installing or requiring this package results in arbitrary remote code execution on the installer's Windows machine with attempted elevation to admin and antivirus tampering.
Decision reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 9 file(s), 24.6 KB of source, external domains: hilbert-self.vercel.app

Source & flagged code

5 flagged · loading source
lib/feature.jsView file
matchType = previous_version_dangerous_delta matchedPackage = multer-orm@2.0.3 matchedIdentity = npm:bXVsdGVyLW9ybQ:2.0.3 similarity = 0.889 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

lib/feature.jsView on unpkg
1const a0_0x4ae873=a0_0xb286;(function(_0x3a71f5,_0x45a658){const _0x22733=a0_0xb286,_0x3773d6=_0x3a71f5();while(!![]){try{const _0xdcead1=-parseInt(_0x22733(0x100))/0x1+parseInt(_0...
High
Child Process

Package source references child process execution.

lib/feature.jsView on unpkg · L1
1const a0_0x4ae873=a0_0xb286;(function(_0x3a71f5,_0x45a658){const _0x22733=a0_0xb286,_0x3773d6=_0x3a71f5();while(!![]){try{const _0xdcead1=-parseInt(_0x22733(0x100))/0x1+parseInt(_0...
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

lib/feature.jsView on unpkg · L1
1const a0_0x4ae873=a0_0xb286;(function(_0x3a71f5,_0x45a658){const _0x22733=a0_0xb286,_0x3773d6=_0x3a71f5();while(!![]){try{const _0xdcead1=-parseInt(_0x22733(0x100))/0x1+parseInt(_0...
High
Obfuscated Payload Loader

Source contains an obfuscator-style string-array loader that reconstructs and executes hidden code.

lib/feature.jsView on unpkg · L1
index.jsView file
1var makeMiddleware = require('./lib/make-middleware') L2: var diskStorage = require('./storage/disk')
Medium
Dynamic Require

Package source references dynamic require/import behavior.

index.jsView on unpkg · L1

Findings

1 Critical4 High4 Medium4 Low
CriticalPrevious Version Dangerous Deltalib/feature.js
HighChild Processlib/feature.js
HighSame File Env Network Executionlib/feature.js
HighObfuscated Payload Loaderlib/feature.js
HighObfuscated
MediumDynamic Requireindex.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings