ogensec-sdk @1.2.1
Vulnerability report · Last retrieved from osv.dev July 15, 2026 at 7:51 AM UTC
OSV ID
MAL-2026-10639
Ecosystem
npm
Summary
The package ships an Express middleware that, on each incoming request, POSTs {appId, endpoint} to a configured ${baseUrl} and interprets the response as a list of items containing a hotfix.code string. That string is wrapped as return (async ()=>{ <code> })(); and passed to Object.getPrototypeOf(async function(){}).constructor (AsyncFunction) with require, req, res parameters, then awaited. Any JavaScript returned by the configured server therefore runs inside the installer's Node process with full require access and access to the live request/response objects on every HTTP request served through the middleware. The feature is marketed only as 'Dynamic security hotfixes' and is not documented as arbitrary remote code execution. The entire shipped dist/ tree (index.js, bridge.js, client.js) is processed by javascript-obfuscator (rotated base64 string arrays, hex-named identifiers) as declared by the obfuscate / prepublishOnly scripts in package.json, and no source is published — concealing the remote-code-execution mechanism from developers reviewing the SDK. Any compromise, takeover, or on-path MITM of the configured backend converts every deployment using this middleware into a live RCE on production traffic; the maintainer of the backend also holds a persistent, undisclosed remote-execution channel into every installer.
Source: amazon-inspector (4acb9448e8289c41cb35a883074545d2a790b719104b2f7c9a99bfca3e3f64ff)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.