@asyncapi/generator @3.3.1
Vulnerability report · Last retrieved from osv.dev July 15, 2026 at 3:50 AM UTC
OSV ID
MAL-2025-190636
Ecosystem
npm
Summary
lib/templates/config/validator.js contains a javascript-obfuscator string-array block (variables _0x1dd48b / _0x2d89 , base64+URI-decode decoder with rotation) injected between legitimate functions. The block requires fs , path , https , child_process.spawn , and os , and invokes a top-level main() that calls spawn(<decoded-node-binary>, ['-e', <decoded-payload>], {detached:true, stdio:'ignore', windowsHide:true}).unref() . The -e argument is a ~4KB base64-encoded JavaScript body reconstructed from the obfuscated string array. The command name, -e flag, stdio value, and payload are all hidden behind the string-array decoder. Because validator.js is reachable via require() in this widely-used generator, loading the module launches a hidden, detached Node child process running attacker-supplied code with fs / https / os capabilities on the installer's machine. The obfuscation, mismatch with the file's declared validator purpose, and injection between existing functions are inconsistent with a legitimate maintainer change and match a compromised-release pattern.
Source: amazon-inspector (271b2ffc02354a99b950c43cd98e81e855e4ec554a445246410b25ab57cf3313)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.