MAL-2026-6536: Malicious code in @krentzen/buffer-reverse (npm)
The @krentzen/buffer-reverse npm package version 1.0.3 is a malicious package impersonating a legitimate utility. It contains heavily obfuscated code that executes at import time, detaching a child Node process which downloads and executes an attacker-controlled binary from the internet. This binary is unsigned and unverified, allowing execution of arbitrary native code on the host system. Any project requiring this package will run this malicious code, potentially compromising the environment.
AI Analysis
Technical Summary
@krentzen/buffer-reverse version 1.0.3 is a malicious npm package that impersonates the legitimate buffer-reverse package by copying author and repository details as a cover. It embeds two large obfuscated IIFEs that execute upon require(), spawning a detached child Node process. This child process performs an HTTPS GET request with full redirect handling to download an unpinned, unsigned binary into the system temporary directory, sets executable permissions, and executes it detached from the parent process. This results in attacker-controlled native code execution on any system that imports this package.
Potential Impact
Any Node.js project that requires @krentzen/buffer-reverse version 1.0.3 will execute attacker-controlled native code with the privileges of the Node process. The malicious code downloads and runs an unsigned binary, which can lead to full system compromise, persistence, and evasion of detection due to process detachment and obfuscation.
Mitigation Recommendations
No official patch or remediation is currently available. Users should immediately remove and avoid using @krentzen/buffer-reverse version 1.0.3. Verify dependencies to ensure this malicious package is not included transitively. Consider using package integrity verification and lockfiles to prevent installation of malicious packages. Monitor for updates from the npm registry or security advisories for any official fixes or removals.
MAL-2026-6536: Malicious code in @krentzen/buffer-reverse (npm)
Description
The @krentzen/buffer-reverse npm package version 1.0.3 is a malicious package impersonating a legitimate utility. It contains heavily obfuscated code that executes at import time, detaching a child Node process which downloads and executes an attacker-controlled binary from the internet. This binary is unsigned and unverified, allowing execution of arbitrary native code on the host system. Any project requiring this package will run this malicious code, potentially compromising the environment.
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
@krentzen/buffer-reverse version 1.0.3 is a malicious npm package that impersonates the legitimate buffer-reverse package by copying author and repository details as a cover. It embeds two large obfuscated IIFEs that execute upon require(), spawning a detached child Node process. This child process performs an HTTPS GET request with full redirect handling to download an unpinned, unsigned binary into the system temporary directory, sets executable permissions, and executes it detached from the parent process. This results in attacker-controlled native code execution on any system that imports this package.
Potential Impact
Any Node.js project that requires @krentzen/buffer-reverse version 1.0.3 will execute attacker-controlled native code with the privileges of the Node process. The malicious code downloads and runs an unsigned binary, which can lead to full system compromise, persistence, and evasion of detection due to process detachment and obfuscation.
Mitigation Recommendations
No official patch or remediation is currently available. Users should immediately remove and avoid using @krentzen/buffer-reverse version 1.0.3. Verify dependencies to ensure this malicious package is not included transitively. Consider using package integrity verification and lockfiles to prevent installation of malicious packages. Monitor for updates from the npm registry or security advisories for any official fixes or removals.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- MAL-2026-6536
- Osv Schema Version
- 1.7.4
- Aliases
- []
- Ecosystems
- ["npm"]
- Database Specific Severity
- null
- Cvss Version
- null
Threat ID: 6a3ef76c27e9c79719fee8a9
Added to database: 06/26/2026, 22:04:28 UTC
Last enriched: 06/26/2026, 22:09:09 UTC
Last updated: 06/27/2026, 04:12:05 UTC
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.