Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

MAL-2026-10151: Malicious code in buffer-util-internal (npm)

0
Critical
Published: 07/10/2026 (07/10/2026, 16:54:54 UTC)
Source: GCVE Database
Product: buffer-util-internal

Description

The npm package 'buffer-util-internal' impersonates the legitimate 'buffer' package by copying its metadata but contains malicious code. It fetches attacker-controlled JavaScript from an external URL at require time and executes it via eval, enabling remote code execution on the installer. The package also includes unusual dependencies not present in the legitimate package. Versions 1.0.13 and 1.0.14 are affected.

Affected software

npmghsa
buffer-util-internal
Affected versions
=1.0.13=1.0.14

Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 07/11/2026, 09:59:09 UTC

Technical Analysis

The 'buffer-util-internal' npm package is a malicious impersonation of the widely-used 'buffer' package. It includes a top-level immediately-invoked function expression (IIFE) that base64-decodes a hardcoded URL, fetches a JSON document from an anonymous paste hosting service, and executes the 'content' field of the response using eval. This allows an attacker to remotely execute arbitrary JavaScript code on any system that installs or requires this package. The package also declares suspicious dependencies inconsistent with the legitimate 'buffer' package, further indicating malicious intent. The affected versions are exactly 1.0.13 and 1.0.14.

Potential Impact

Any consumer that installs or requires 'buffer-util-internal' versions 1.0.13 or 1.0.14 will execute attacker-controlled JavaScript code at install or require time, resulting in a full remote code execution capability on the affected system. This can lead to complete compromise of the host environment.

Mitigation Recommendations

No official patch or fix is currently documented. Users should immediately remove and avoid using the 'buffer-util-internal' package, especially versions 1.0.13 and 1.0.14. Verify dependencies to ensure the legitimate 'buffer' package is used instead. Monitor package sources carefully to avoid supply chain attacks from malicious impersonation packages.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Gcve Source
db.gcve.eu
Osv Id
MAL-2026-10151
Osv Schema Version
1.7.4
Aliases
[]
Ecosystems
["npm"]
Database Specific Severity
null
Cvss Version
null

Threat ID: 6a520ecc68715ace438f6423

Added to database: 07/11/2026, 09:37:16 UTC

Last enriched: 07/11/2026, 09:59:09 UTC

Last updated: 07/11/2026, 09:59:09 UTC

Views: 2

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses