@bcryptln/becryptjs @3.0.11
Vulnerability report · Last retrieved from osv.dev July 10, 2026 at 6:33 PM UTC
OSV ID
MAL-2026-10162
Ecosystem
npm
Summary
Package @bcryptln/becryptjs impersonates the widely-used bcryptjs library (its own metadata still references the upstream dcodeIO/bcrypt.js project). The ESM entrypoint index.js contains a legitimate copy of bcryptjs followed by whitespace padding and an appended obfuscated block that runs unconditionally when a consumer does import '@bcryptln/becryptjs' . The trailing code hoists require , module , __dirname , and __filename onto globals, then uses two custom positional string-shuffle decoders with hardcoded numeric seeds to derive the identifier Function , constructs a runtime function from a decoded string, and invokes it. Because require is re-exposed to the constructed function, the payload has full CommonJS reach (fs, child_process, http, net) from within an ESM module. The CommonJS/UMD entrypoint (umd/index.js) is a clean copy of upstream with no payload — the malicious code is placed only on the import conditional export, targeting modern ESM consumers while keeping the require path benign to defeat diff-against-upstream review. The combination of name impersonation, hidden payload appended after whitespace padding, custom string-shuffle obfuscation whose only purpose is to hide Function and the payload body, dynamic code construction with re-exposed CommonJS primitives, and UMD/ESM split are jointly consistent with an intentional supply-chain trojan.
Source: amazon-inspector (cb86f48a4b796f17dc1017a92153b88afce1f15690687eaa422162d9dd9f347d)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.