Vulnerability
Malicious code in typeorm-encrypt (npm)
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (a56a819a1e640411db5e485054b23282d0d04f847270ea17c605cbfa6e6ab5ac) The published tarball contains lib/lib.min.js, a heavily obfuscated file that stashes Node intrinsics on globals (`global['r']=require; global['m']=module;`) before invoking a Function-constructor eval'd payload. This is the canonical dropper shape: code that needs `require` access but is structured to evade casual review through a permutation-decoder + Function-eval pipeline. The file is not referenced from lib/index.js (the package main) or any other clean module in the package, whose stated purpose is a small TypeORM transformer for encrypted columns (lib/crypto.js, lib/entity.js, lib/transformer.js show that purpose in clear source). Shipping an obfuscated payload that has no role in the advertised functionality, and that is wired to access Node's require/module via globals when invoked, is unjustified for a column-encryption transformer. Corroborating signal: package.json declares an empty author name with a lookalike email domain (`gennagykoroke@vich.com`) and no `repository` or `homepage` fields — typical placeholder maintainer metadata. While the obfuscated file is dormant on a default `require('typeorm-encrypt')` (it is not on the load graph from main), its presence in the tarball means any path that loads it — a future patch flipping main, a sibling package requiring `typeorm-encrypt/lib/lib.min.js` directly, or runtime code in other distribution paths — executes attacker-controlled obfuscated code with full Node intrinsics access. The combination of obfuscation, require-stashing prologue, purpose mismatch, and placeholder maintainer identity is consistent with smuggled malicious code. ## Source: ghsa-malware (dc67e2dca7bff2668f3bf2504574289c8ed5d5bbda1e2f52636df55205076d0d) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
No CVSS base score from NVD or GHSA yet. NVD typically scores within 24–72 hours of publication; GHSA usually within a day for OSS-flagged CVEs. Last record update .
For interim severity, fall back on KEV / EXPLOIT signals and the EPSS percentile (lower panel). Re-check this CVE after one cron tick — the score lands automatically when the source publishes.
FIRST.org publishes EPSS daily. Coverage isn't universal — pre-disclosure CVEs and reserved IDs don't carry an EPSS score until at least one exploitation signal lands. Score will appear within 24 hours of the next EPSS pull.
No exploitation, limited impact or prevalence