registry  /  path-addon-extend  /  1.0.8

path-addon-extend@1.0.8

Node.js path module

OSV Malicious Advisory

scanned 2h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-10420 confirms this npm version as malicious. path-addon-extend presents itself as a copy of Node's built-in `path` module. On module load, path.js issues an HTTPS GET to a base64-obscured URL that decodes to https://json.extendsclass.com/bin/567893d4e220 and passes the response's `.content` field directly to `eval()`...

Advisory
MAL-2026-10420
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in path-addon-extend (npm)
Details
path-addon-extend presents itself as a copy of Node's built-in `path` module. On module load, path.js issues an HTTPS GET to a base64-obscured URL that decodes to https://json.extendsclass.com/bin/567893d4e220 and passes the response's `.content` field directly to `eval()`. The destination is a public JSON-bin service whose contents can be mutated at any time by the publisher (or anyone in possession of the bin token), giving arbitrary remote code execution in any process that requires this package. The endpoint is stored as a base64 literal decoded via `atob(...)` at call time rather than as a plain string, concealing the destination in a package that otherwise mirrors the Node core `path` module.
Decision reason
OpenSSF Malicious Packages via OSV confirms path-addon-extend@1.0.8 as malicious (MAL-2026-10420): Malicious code in path-addon-extend (npm)

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

1 High
HighOsv Malicious Advisory