registry  /  node-path-addon  /  1.0.8

node-path-addon@1.0.8

Node.js path module

OSV Malicious Advisory

scanned 5h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-10463 confirms this npm version as malicious. node-path-addon presents itself as an extension of the Node.js built-in 'path' module. Its main entry (path.js) delegates by executing require('path-addon-extend') at module load, and package.json declares that dependency at wildcard version '*', so importing node-path-addon unconditionally resolves and executes the latest published version of path-addon-extend — whose contents are controlled by whoever owns that...

Advisory
MAL-2026-10463
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in node-path-addon (npm)
Details
node-path-addon presents itself as an extension of the Node.js built-in 'path' module. Its main entry (path.js) delegates by executing require('path-addon-extend') at module load, and package.json declares that dependency at wildcard version '*', so importing node-path-addon unconditionally resolves and executes the latest published version of path-addon-extend — whose contents are controlled by whoever owns that separate npm name. The shim also imports the 'https' module without using it, and the README instructs users to run 'npm install --save path-addon' rather than the actual published name 'node-path-addon', a naming mismatch consistent with typosquat lure behavior. The package itself contains no direct exfiltration or shell execution, but the wildcard-pinned require on import is a loader that grants an external, mutable dependency arbitrary code execution in the consumer's process on every install and require.
Decision reason
OpenSSF Malicious Packages via OSV confirms node-path-addon@1.0.8 as malicious (MAL-2026-10463): Malicious code in node-path-addon (npm)

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

1 High
HighOsv Malicious Advisory