MAL-2026-10463: Malicious code in node-path-addon (npm)
The node-path-addon npm package is a malicious typosquatting package that masquerades as an extension of the Node.js built-in 'path' module. It uses a wildcard dependency on another package, path-addon-extend, allowing arbitrary code execution controlled by whoever owns that dependency. The package itself does not directly exfiltrate data or execute shells but acts as a loader that executes external code on every install and require. The package name mismatch and README instructions suggest it is designed to lure users into installing it by confusing it with a legitimate package.
AI Analysis
Technical Summary
node-path-addon is a malicious npm package that pretends to extend the Node.js 'path' module. Its main module requires 'path-addon-extend' at a wildcard version '*', causing the latest version of that external package to be loaded and executed. Since the external dependency is mutable and controlled by a third party, this design allows arbitrary code execution in the consumer's process whenever node-path-addon is installed or required. The package also imports 'https' without use and misleads users with README instructions to install a similarly named package, consistent with typosquatting tactics. No direct payload such as exfiltration or shell execution is present in node-path-addon itself, but the indirect code execution risk is significant.
Potential Impact
Consumers of node-path-addon version 1.0.8 are at risk of arbitrary code execution due to the wildcard dependency on path-addon-extend, which can be updated by an attacker at any time. This can lead to compromise of the environment where the package is installed. There are no known exploits in the wild currently. The malicious package does not itself contain direct exfiltration or shell execution code but enables execution of arbitrary code via the external dependency.
Mitigation Recommendations
Avoid using node-path-addon entirely, especially version 1.0.8, as it is a malicious typosquatting package. There is no official fix or patch available. Users should verify package names carefully before installation and rely on trusted sources. Remove node-path-addon from any projects and replace with the legitimate Node.js 'path' module or a trusted alternative. Monitor dependencies for typosquatting or suspicious wildcard dependencies.
MAL-2026-10463: Malicious code in node-path-addon (npm)
Description
The node-path-addon npm package is a malicious typosquatting package that masquerades as an extension of the Node.js built-in 'path' module. It uses a wildcard dependency on another package, path-addon-extend, allowing arbitrary code execution controlled by whoever owns that dependency. The package itself does not directly exfiltrate data or execute shells but acts as a loader that executes external code on every install and require. The package name mismatch and README instructions suggest it is designed to lure users into installing it by confusing it with a legitimate package.
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
node-path-addon is a malicious npm package that pretends to extend the Node.js 'path' module. Its main module requires 'path-addon-extend' at a wildcard version '*', causing the latest version of that external package to be loaded and executed. Since the external dependency is mutable and controlled by a third party, this design allows arbitrary code execution in the consumer's process whenever node-path-addon is installed or required. The package also imports 'https' without use and misleads users with README instructions to install a similarly named package, consistent with typosquatting tactics. No direct payload such as exfiltration or shell execution is present in node-path-addon itself, but the indirect code execution risk is significant.
Potential Impact
Consumers of node-path-addon version 1.0.8 are at risk of arbitrary code execution due to the wildcard dependency on path-addon-extend, which can be updated by an attacker at any time. This can lead to compromise of the environment where the package is installed. There are no known exploits in the wild currently. The malicious package does not itself contain direct exfiltration or shell execution code but enables execution of arbitrary code via the external dependency.
Mitigation Recommendations
Avoid using node-path-addon entirely, especially version 1.0.8, as it is a malicious typosquatting package. There is no official fix or patch available. Users should verify package names carefully before installation and rely on trusted sources. Remove node-path-addon from any projects and replace with the legitimate Node.js 'path' module or a trusted alternative. Monitor dependencies for typosquatting or suspicious wildcard dependencies.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- MAL-2026-10463
- Osv Schema Version
- 1.7.4
- Aliases
- []
- Ecosystems
- ["npm"]
- Database Specific Severity
- null
- Cvss Version
- null
Threat ID: 6a55ffb868715ace432facc0
Added to database: 07/14/2026, 09:22:00 UTC
Last enriched: 07/14/2026, 09:59:56 UTC
Last updated: 07/14/2026, 10:50:29 UTC
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.