MAL-2026-2798
Vulnerability from ossf_malicious_packages
Published
2026-04-16 10:15
Modified
2026-05-26 05:55
Summary
Malicious code in request-easy-validator (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (59057b0a6f845ac1e8bfa571c4e26295e469abdd5c6faa2e68007ef78816ec9b)

request-easy-validator impersonates the popular request package (cloned README, bugs URL points at github.com/request/request, source is a fork of request) and ships a hidden remote-code-execution dropper. index.js exports a middleware function (also exposed as default, .reqValidator, and .request) that, on any invocation by the consumer, spawns a detached node lib/callers.js child with stdio: 'ignore' and child.unref() to hide it from the parent process. lib/callers.js then issues an HTTPS GET to https://jsonkeeper.com/b/PWEH9 (an anonymous, mutable, attacker-controlled paste host) with header x-secret-key: _, takes the .Cookie field from the response, and passes it to new Function.constructor('require', s) invoked with the live require — granting the paste-host operator arbitrary Node.js code execution with full module access on any server using this package. The payload URL is mutable, so the attacker can change the executed code at any time without republishing the package.

CWE
  • CWE-506 - The product contains code that appears to be malicious in nature.
  • CWE-506 - The product contains code that appears to be malicious in nature.
Credits
Amazon Inspector actran@amazon.com
ReversingLabs www.reversinglabs.com
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "cwes": [
          {
            "cweId": "CWE-506",
            "description": "The product contains code that appears to be malicious in nature.",
            "name": "Embedded Malicious Code"
          },
          {
            "cweId": "CWE-506",
            "description": "The product contains code that appears to be malicious in nature.",
            "name": "Embedded Malicious Code"
          }
        ],
        "indicators": {
          "evidence_files": [
            {
              "path": "lib/callers.js",
              "sha256": "9e82b0f3bea4634d83caf9fb953b559d92f0a1980e28439500e01d62e909e2d2",
              "tlsh": "7001cb8f70ac545c09b013f6bb1fe436f621a46b390291d0375c87421f769ad6603eee"
            },
            {
              "path": "package.json",
              "sha256": "99eb2633488f428557d3222c324fdcd95fe719ab092fa3bb34f2263f79dd15bd",
              "tlsh": "72415220cc6a8c931ec929e5687d5643b1a0e41bce41bc1d778a639c4f4e46f32b8f6d"
            },
            {
              "path": "index.js",
              "sha256": "356f24fff7af39ef7026879a2c571b3c81ee0ecf880078e24b25be69fe5642d6",
              "tlsh": "87a1648526e373519aebb2d1e81f4229b675d223320e1a7178c587d81f0cc69d3b3dd5"
            }
          ],
          "package_integrity": [
            {
              "filename": "request-easy-validator-1.0.6.tgz",
              "hashes": {
                "sha1": "cbc47e82cba4fdfeeab1ca30becb9e459061e49c",
                "sha512_sri": "sha512-uyFVWy1EhsZI9PRvTMCwRYpUomfFeGVoGUfJ1F4nXRxtUMT/sigHG+5KbTF5zOuaJsXpomaUmRKr3+gdj1Mccw=="
              }
            }
          ]
        }
      },
      "package": {
        "ecosystem": "npm",
        "name": "request-easy-validator",
        "purl": "pkg:npm/request-easy-validator"
      },
      "versions": [
        "1.1.0",
        "1.2.0",
        "1.2.1",
        "1.0.6",
        "1.0.7"
      ]
    }
  ],
  "credits": [
    {
      "contact": [
        "actran@amazon.com"
      ],
      "name": "Amazon Inspector",
      "type": "FINDER"
    },
    {
      "contact": [
        "https://www.reversinglabs.com"
      ],
      "name": "ReversingLabs",
      "type": "FINDER"
    }
  ],
  "database_specific": {
    "malicious-packages-origins": [
      {
        "id": "RLMA-2026-02035",
        "import_time": "2026-04-16T15:39:16.491459746Z",
        "modified_time": "2026-04-16T10:15:30Z",
        "sha256": "8edcb2f860332561b7d9050d2ce2e2dcb82eecbbc51dc8c659ca4e741f70de1b",
        "source": "reversing-labs",
        "versions": [
          "1.1.0",
          "1.2.0",
          "1.2.1"
        ]
      },
      {
        "import_time": "2026-04-23T20:48:59.140631663Z",
        "modified_time": "2026-04-23T20:43:56Z",
        "sha256": "f6016a67de1924ce3156de3c59cb6f311ad9fe0151c129cd63dc56007576a369",
        "source": "amazon-inspector",
        "versions": [
          "1.1.0",
          "1.2.0",
          "1.2.1"
        ]
      },
      {
        "id": "IN-MAL-2026-003458",
        "import_time": "2026-05-26T05:50:40.87663445Z",
        "modified_time": "2026-05-20T04:12:52Z",
        "sha256": "59057b0a6f845ac1e8bfa571c4e26295e469abdd5c6faa2e68007ef78816ec9b",
        "source": "amazon-inspector",
        "versions": [
          "1.0.6"
        ]
      },
      {
        "id": "IN-MAL-2026-003457",
        "import_time": "2026-05-26T05:50:40.784672454Z",
        "modified_time": "2026-05-20T04:12:27Z",
        "sha256": "59c86157ff92828c8f05107e9b16169821d937ef657d7fcbb19d6862242c07af",
        "source": "amazon-inspector",
        "versions": [
          "1.0.7"
        ]
      }
    ]
  },
  "details": "\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (59057b0a6f845ac1e8bfa571c4e26295e469abdd5c6faa2e68007ef78816ec9b)\nrequest-easy-validator impersonates the popular `request` package (cloned README, bugs URL points at github.com/request/request, source is a fork of `request`) and ships a hidden remote-code-execution dropper. index.js exports a `middleware` function (also exposed as default, `.reqValidator`, and `.request`) that, on any invocation by the consumer, spawns a detached `node lib/callers.js` child with `stdio: \u0027ignore\u0027` and `child.unref()` to hide it from the parent process. lib/callers.js then issues an HTTPS GET to https://jsonkeeper.com/b/PWEH9 (an anonymous, mutable, attacker-controlled paste host) with header `x-secret-key: _`, takes the `.Cookie` field from the response, and passes it to `new Function.constructor(\u0027require\u0027, s)` invoked with the live `require` \u2014 granting the paste-host operator arbitrary Node.js code execution with full module access on any server using this package. The payload URL is mutable, so the attacker can change the executed code at any time without republishing the package.\n",
  "id": "MAL-2026-2798",
  "modified": "2026-05-26T05:55:04Z",
  "published": "2026-04-16T10:15:30Z",
  "references": [
    {
      "type": "PACKAGE",
      "url": "https://www.npmjs.com/package/request-easy-validator/v/1.0.6"
    },
    {
      "type": "PACKAGE",
      "url": "https://www.npmjs.com/package/request-easy-validator/v/1.0.7"
    }
  ],
  "schema_version": "1.7.4",
  "summary": "Malicious code in request-easy-validator (npm)"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.