buffer-util-internal @1.0.14
Vulnerability report · Last retrieved from osv.dev July 10, 2026 at 6:33 PM UTC
OSV ID
MAL-2026-10151
Ecosystem
npm
Summary
Package impersonates Feross Aboukhadijeh's widely-used buffer package, copying its author, repository, contributors, and description metadata while publishing under the name buffer-util-internal . The main module index.js contains a top-level IIFE that base64-decodes a hardcoded URL (decoding to https://www.jsonkeeper.com/b/PT0ON), fetches a JSON document from that anonymous paste host, and passes the response's content field directly to eval . The destination URL is hidden behind a variable named tokenStringRe with a misleading // Random string to generate strong random value comment, alongside a second base64 string referencing a sibling paste id. Because the fetched content is attacker-mutable, every consumer that requires this package executes whatever JavaScript the paste host serves at that moment — a full remote code execution primitive on the installer at require time. The package also declares unusual dependencies (axios, execp, request) inconsistent with the legitimate buffer package.
Source: amazon-inspector (d329e426a3af00dc4cb53c8535a3e53848f09a1b80e561f84f29c77bffe746d7)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.