registry  /  node-path-addon  /  1.0.7

node-path-addon@1.0.7

OSV Malicious Advisory

scanned 4h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-10463 confirms this npm version as malicious. node-path-addon presents itself as an extension of the Node.js built-in 'path' module. Its main entry (path.js) delegates by executing require('path-addon-extend') at module load, and package.json declares that dependency at wildcard version '*', so importing node-path-addon unconditionally resolves and executes the latest published version of path-addon-extend — whose contents are controlled by whoever owns that...

Advisory
MAL-2026-10463
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in node-path-addon (npm)
Details
node-path-addon presents itself as an extension of the Node.js built-in 'path' module. Its main entry (path.js) delegates by executing require('path-addon-extend') at module load, and package.json declares that dependency at wildcard version '*', so importing node-path-addon unconditionally resolves and executes the latest published version of path-addon-extend — whose contents are controlled by whoever owns that separate npm name. The shim also imports the 'https' module without using it, and the README instructs users to run 'npm install --save path-addon' rather than the actual published name 'node-path-addon', a naming mismatch consistent with typosquat lure behavior. The package itself contains no direct exfiltration or shell execution, but the wildcard-pinned require on import is a loader that grants an external, mutable dependency arbitrary code execution in the consumer's process on every install and require. ## Source: ghsa-malware (6b9d31ad60810b0ec7e48b0a716595cc64021531ef9711fab0dd6b7ccfb2cd07) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
Decision reason
OpenSSF Malicious Packages via OSV confirms node-path-addon@1.0.7 as malicious (MAL-2026-10463): Malicious code in node-path-addon (npm)

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

1 High
HighOsv Malicious Advisory