MAL-2026-4779
Vulnerability from ossf_malicious_packages
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (4cc5567869e3d616af151887f680ef13bf23f8a19fe5978343254b921c1c7c73)
Package name 'ether-bn.js' resembles the widely-used 'bn.js' big-number library, and the README directs users to install yet another name ('buffernumber.js'). The repository and homepage fields point at the legitimate indutny/bn.js project while the author field is unrelated. The shipped lib/bn.js is a near-verbatim copy of upstream bn.js with two non-upstream additions: a top-level const uniqueString = require('unique-id-64'); (lib/bn.js:38) and a check if (BN.isBN(number) && uniqueString(64)) { return number; } inside the BN constructor (lib/bn.js:20). package.json adds unique-id-64: ^1.0.0 to dependencies. The injected require is unconditionally evaluated when the module is loaded, and uniqueString(64) is invoked on every BN clone path, so any consumer that does new BN(existingBn) executes the third-party unique-id-64 package's code. The injected dependency is unpinned (^1.0.0) and is not a legitimate transitive of bn.js — it is the payload-delivery vehicle for whatever the third-party package contains now or in the future. Installers expecting bn.js semantics silently take a runtime dependency on attacker-selected code reached through a confusingly-named lookalike package.
{
"affected": [
{
"database_specific": {
"cwes": [
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
}
],
"indicators": {
"evidence_files": [
{
"path": "lib/bn.js",
"sha256": "d6b7f7f510a0574745196d24515cc9f121560cc5755aa1afe1f9283351ba8d8c",
"tlsh": "e8938844abb720599a4b753c4faf60886a74e41b5847dd08bd8ce3e06f5502482fdffa"
},
{
"path": "package.json",
"sha256": "cbbc438fa05f5350c7e7b503b7975447865e03c72373cfb9e272d00d8366486f",
"tlsh": "41114c58cc694ca32bd566e5489d600bb671885b4898fc0cb3e7521c4b5f16f11feabc"
}
],
"package_integrity": [
{
"filename": "ether-bn.js-1.4.0.tgz",
"hashes": {
"sha1": "c98f6b5e1991a17a64e421b2cc3e6ab5deeef1d7",
"sha512_sri": "sha512-s2MbqGoQUt4wUpUMfI/H6wWPXKVVld4nXaqOHjyGvdXkd1AIdNQv1fv7nQAYNzrsoBuTc1SPMIG1QqzURKBmhw=="
}
}
]
}
},
"package": {
"ecosystem": "npm",
"name": "ether-bn.js"
},
"versions": [
"1.4.0",
"1.4.1"
]
}
],
"credits": [
{
"contact": [
"actran@amazon.com"
],
"name": "Amazon Inspector",
"type": "FINDER"
}
],
"database_specific": {
"malicious-packages-origins": [
{
"id": "IN-MAL-2026-004851",
"import_time": "2026-05-26T06:26:14.140621251Z",
"modified_time": "2026-05-26T06:25:09Z",
"sha256": "4cc5567869e3d616af151887f680ef13bf23f8a19fe5978343254b921c1c7c73",
"source": "amazon-inspector",
"versions": [
"1.4.0"
]
},
{
"id": "IN-MAL-2026-004856",
"import_time": "2026-05-26T07:48:28.324713291Z",
"modified_time": "2026-05-26T07:09:54Z",
"sha256": "c00780a3026cf6886eb1c16dbfe7a20d9dea3ac9e12bd2de1a3856249df8d878",
"source": "amazon-inspector",
"versions": [
"1.4.1"
]
}
]
},
"details": "\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (4cc5567869e3d616af151887f680ef13bf23f8a19fe5978343254b921c1c7c73)\nPackage name \u0027ether-bn.js\u0027 resembles the widely-used \u0027bn.js\u0027 big-number library, and the README directs users to install yet another name (\u0027buffernumber.js\u0027). The repository and homepage fields point at the legitimate indutny/bn.js project while the author field is unrelated. The shipped lib/bn.js is a near-verbatim copy of upstream bn.js with two non-upstream additions: a top-level `const uniqueString = require(\u0027unique-id-64\u0027);` (lib/bn.js:38) and a check `if (BN.isBN(number) \u0026\u0026 uniqueString(64)) { return number; }` inside the BN constructor (lib/bn.js:20). package.json adds `unique-id-64: ^1.0.0` to dependencies. The injected require is unconditionally evaluated when the module is loaded, and `uniqueString(64)` is invoked on every BN clone path, so any consumer that does `new BN(existingBn)` executes the third-party `unique-id-64` package\u0027s code. The injected dependency is unpinned (`^1.0.0`) and is not a legitimate transitive of bn.js \u2014 it is the payload-delivery vehicle for whatever the third-party package contains now or in the future. Installers expecting bn.js semantics silently take a runtime dependency on attacker-selected code reached through a confusingly-named lookalike package.\n",
"id": "MAL-2026-4779",
"modified": "2026-05-26T07:50:25Z",
"published": "2026-05-26T06:25:09Z",
"references": [
{
"type": "PACKAGE",
"url": "https://www.npmjs.com/package/ether-bn.js/v/1.4.0"
},
{
"type": "PACKAGE",
"url": "https://www.npmjs.com/package/ether-bn.js/v/1.4.1"
}
],
"schema_version": "1.7.4",
"summary": "Malicious code in ether-bn.js (npm)"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.