npm

multer-orm @2.0.7

Vulnerability report · Last retrieved from osv.dev July 10, 2026 at 1:30 AM UTC

Malicious

OSV ID

MAL-2026-10064

Ecosystem

npm

Summary

multer-orm is a typosquat of the widely used multer middleware. Its README is copied from multer, but the package adds a load-time dropper in lib/feature.js that fires as soon as any consumer runs require('multer-orm') . On Windows the module IIFE auto-invokes a handler that fetches JSON from https://hilbert-self.vercel.app/, extracts a downloader_url , downloads the referenced binary into the Chrome User Data directory as chrome.exe , marks it executable, and runs it. When the current Node process is not elevated, the code re-spawns itself via powershell Start-Process node -Verb RunAs -WindowStyle Hidden to obtain admin rights, then writes a temporary PowerShell script that calls Add-MpPreference -ExclusionPath against roughly twenty existing directories (including the Chrome/Edge User Data paths where the payload is dropped), executed via cscript.exe, to disable Windows Defender scanning of the dropper's staging locations. The URLs, PowerShell commands, exclusion strings, and filesystem paths are hidden behind obfuscator.io-style string-array + rotation obfuscation in lib/feature.js. package.json also declares a self-referential dependency on multer-orm . Installing or requiring this package results in arbitrary remote code execution on the installer's Windows machine with attempted elevation to admin and antivirus tampering.

Source: amazon-inspector (7fb45c09aa7a237b2b9ff18ccf6426b76a4f46e5ea665c7747f35a345940e161)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.