npm

@asyncapi/generator @3.3.1

Vulnerability report · Last retrieved from osv.dev July 15, 2026 at 3:50 AM UTC

Malicious

OSV ID

MAL-2025-190636

Ecosystem

npm

Summary

lib/templates/config/validator.js contains a javascript-obfuscator string-array block (variables _0x1dd48b / _0x2d89 , base64+URI-decode decoder with rotation) injected between legitimate functions. The block requires fs , path , https , child_process.spawn , and os , and invokes a top-level main() that calls spawn(<decoded-node-binary>, ['-e', <decoded-payload>], {detached:true, stdio:'ignore', windowsHide:true}).unref() . The -e argument is a ~4KB base64-encoded JavaScript body reconstructed from the obfuscated string array. The command name, -e flag, stdio value, and payload are all hidden behind the string-array decoder. Because validator.js is reachable via require() in this widely-used generator, loading the module launches a hidden, detached Node child process running attacker-supplied code with fs / https / os capabilities on the installer's machine. The obfuscation, mismatch with the file's declared validator purpose, and injection between existing functions are inconsistent with a legitimate maintainer change and match a compromised-release pattern.

Source: amazon-inspector (271b2ffc02354a99b950c43cd98e81e855e4ec554a445246410b25ab57cf3313)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.