Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

MAL-2026-10463: Malicious code in node-path-addon (npm)

0
High
Published: 07/13/2026 (07/13/2026, 17:37:21 UTC)
Source: GCVE Database
Product: node-path-addon

Description

The node-path-addon npm package is a malicious typosquatting package that masquerades as an extension of the Node.js built-in 'path' module. It uses a wildcard dependency on another package, path-addon-extend, allowing arbitrary code execution controlled by whoever owns that dependency. The package itself does not directly exfiltrate data or execute shells but acts as a loader that executes external code on every install and require. The package name mismatch and README instructions suggest it is designed to lure users into installing it by confusing it with a legitimate package.

Affected software

npmghsa
node-path-addon
Affected versions
=1.0.8

Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 07/14/2026, 09:59:56 UTC

Technical Analysis

node-path-addon is a malicious npm package that pretends to extend the Node.js 'path' module. Its main module requires 'path-addon-extend' at a wildcard version '*', causing the latest version of that external package to be loaded and executed. Since the external dependency is mutable and controlled by a third party, this design allows arbitrary code execution in the consumer's process whenever node-path-addon is installed or required. The package also imports 'https' without use and misleads users with README instructions to install a similarly named package, consistent with typosquatting tactics. No direct payload such as exfiltration or shell execution is present in node-path-addon itself, but the indirect code execution risk is significant.

Potential Impact

Consumers of node-path-addon version 1.0.8 are at risk of arbitrary code execution due to the wildcard dependency on path-addon-extend, which can be updated by an attacker at any time. This can lead to compromise of the environment where the package is installed. There are no known exploits in the wild currently. The malicious package does not itself contain direct exfiltration or shell execution code but enables execution of arbitrary code via the external dependency.

Mitigation Recommendations

Avoid using node-path-addon entirely, especially version 1.0.8, as it is a malicious typosquatting package. There is no official fix or patch available. Users should verify package names carefully before installation and rely on trusted sources. Remove node-path-addon from any projects and replace with the legitimate Node.js 'path' module or a trusted alternative. Monitor dependencies for typosquatting or suspicious wildcard dependencies.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Gcve Source
db.gcve.eu
Osv Id
MAL-2026-10463
Osv Schema Version
1.7.4
Aliases
[]
Ecosystems
["npm"]
Database Specific Severity
null
Cvss Version
null

Threat ID: 6a55ffb868715ace432facc0

Added to database: 07/14/2026, 09:22:00 UTC

Last enriched: 07/14/2026, 09:59:56 UTC

Last updated: 07/14/2026, 10:50:29 UTC

Views: 3

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses