OSV Malicious Advisory
scanned 4h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-10639 confirms this npm version as malicious. The package ships an Express middleware that, on each incoming request, POSTs {appId, endpoint} to a configured `${baseUrl}` and interprets the response as a list of items containing a `hotfix.code` string. That string is wrapped as `return (async ()=>{ <code> })();` and passed to `Object.getPrototypeOf(async function(){}).constructor` (AsyncFunction) with `require, req, res` parameters, then awaited...
Advisory
MAL-2026-10639
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in ogensec-sdk (npm)
Details
The package ships an Express middleware that, on each incoming request, POSTs {appId, endpoint} to a configured `${baseUrl}` and interprets the response as a list of items containing a `hotfix.code` string. That string is wrapped as `return (async ()=>{ <code> })();` and passed to `Object.getPrototypeOf(async function(){}).constructor` (AsyncFunction) with `require, req, res` parameters, then awaited. Any JavaScript returned by the configured server therefore runs inside the installer's Node process with full `require` access and access to the live request/response objects on every HTTP request served through the middleware. The feature is marketed only as 'Dynamic security hotfixes' and is not documented as arbitrary remote code execution. The entire shipped `dist/` tree (index.js, bridge.js, client.js) is processed by javascript-obfuscator (rotated base64 string arrays, hex-named identifiers) as declared by the `obfuscate`/`prepublishOnly` scripts in package.json, and no source is published — concealing the remote-code-execution mechanism from developers reviewing the SDK. Any compromise, takeover, or on-path MITM of the configured backend converts every deployment using this middleware into a live RCE on production traffic; the maintainer of the backend also holds a persistent, undisclosed remote-execution channel into every installer.
Decision reason
OpenSSF Malicious Packages via OSV confirms ogensec-sdk@1.1.1 as malicious (MAL-2026-10639): Malicious code in ogensec-sdk (npm)
References
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 High
HighOsv Malicious Advisory