Supply-chain threat intelligence
Risk score
92
Indexed incident for @bcryptln/becryptjs (npm).
Package @bcryptln/becryptjs impersonates the widely-used bcryptjs library (its own metadata still references the upstream dcodeIO/bcrypt.js project). The ESM entrypoint index.js contains a legitimate copy of bcryptjs followed by whitespace padding and an appended obfuscated block that runs unconditionally when a consumer does import '@bcryptln/becryptjs'. The trailing code hoists require, module, __dirname, and __filename onto globals, then uses two custom positional string-shuffle decoders with hardcoded numeric seeds to derive the identifier Function, constructs a runtime function from a decoded string, and invokes it. Because require is re-exposed to the constructed function, the payload has full CommonJS reach (fs, child_process, http, net) from within an ESM module. The CommonJS/UMD entrypoint (umd/index.js) is a clean copy of upstream with no payload — the malicious code is placed only on the import conditional export, targeting modern ESM consumers while keeping the require path benign to defeat diff-against-upstream review. The combination of name impersonation, hidden payload appended after whitespace padding, custom string-shuffle obfuscation whose only purpose is to hide Function and the payload body, dynamic code construction with re-exposed CommonJS primitives, and UMD/ESM split are jointly consistent with an intentional supply-chain trojan.
Affected versions
Indicators
Timeline