npm

fastify-addone @5.1.0

Vulnerability report · Last retrieved from osv.dev July 10, 2026 at 1:30 AM UTC

Malicious

OSV ID

MAL-2026-10098

Ecosystem

npm

Summary

The package presents itself as fastify-plugin (name fastify-addone, repository/homepage/bugs fields point at fastify/fastify-plugin) and copies that project's source with a malicious statement inserted. lib/getPluginName.js contains a top-level statement that base64-decodes a URL via atob, fetches the JSON at https://www.jsonkeeper.com/b/HDXPP, and passes the returned content field to eval. This executes attacker-controlled JavaScript in the caller's process on any require('fastify-addone') (directly or via plugin.js). The destination is an anonymous, mutable third-party JSON-hosting service — not the publisher's infrastructure — and the payload URL is hidden behind base64 to evade casual review.

Source: amazon-inspector (21b9e477cff478ab071039c18c3adb6577a07cc1d82687b9e7d7cd2594dc9ddf)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.