multer-orm @2.0.6
Vulnerability report · Last retrieved from osv.dev July 9, 2026 at 6:28 PM UTC
OSV ID
MAL-2026-10064
Ecosystem
npm
Summary
Package name impersonates the popular multer middleware and copies its README/repo metadata. On require('multer-orm') , index.js loads lib/feature.js , which at module load fetches a JSON document from https://hilbert-self.vercel.app/ , extracts a downloader_url field, downloads an opaque binary over http/https with no pinning or integrity check, writes it as chrome.exe under the Chrome User Data directory to masquerade as the browser, and executes it via execFile / spawn (chmod 755 on non-Windows). When running as administrator on Windows, the code first writes and runs a PowerShell script that calls Add-MpPreference -ExclusionPath on the staging directory to evade Windows Defender; when not elevated, it re-spawns itself via powershell -Command Start-Process... -Verb RunAs -WindowStyle Hidden to obtain UAC elevation. The dropper logic in lib/feature.js is hidden behind obfuscator.io-style string-array rotation that conceals identifiers such as child_process , powershell , chrome.exe , Add-MpPreference , and the C2 hostname. There is no legitimate multipart/form-data middleware functionality — the package exists solely to deliver the remote payload to anyone who mistypes multer .
Source: amazon-inspector (489805f0242c070653fa4e09c782d8135971a370b3ae292d31d721507332a12f)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.