Supply-chain threat intelligence

Incident detail

criticalnpm·malware·osv

Malicious code in fastify-addone (npm)

fastify-addone

Risk score

92

AI summary

Indexed incident for fastify-addone (npm).

Description

The package presents itself as fastify-plugin (name fastify-addone, repository/homepage/bugs fields point at fastify/fastify-plugin) and copies that project's source with a malicious statement inserted. lib/getPluginName.js contains a top-level statement that base64-decodes a URL via atob, fetches the JSON at https://www.jsonkeeper.com/b/HDXPP, and passes the returned content field to eval. This executes attacker-controlled JavaScript in the caller's process on any require('fastify-addone') (directly or via plugin.js). The destination is an anonymous, mutable third-party JSON-hosting service — not the publisher's infrastructure — and the payload URL is hidden behind base64 to evade casual review.

Technical details

Affected versions

=5.1.0=5.1.1

Indicators

  • affected version=5.1.075%
  • affected version=5.1.175%

Timeline

  1. Advisory published
  2. Indexed by ThreatPkg

Related incidents