MAL-2026-10093

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@andrewstory18/is-real-odd/MAL-2026-10093.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10093
Published
2026-07-09T19:18:33Z
Modified
2026-07-09T20:16:49.730814494Z
Summary
Malicious code in @andrewstory18/is-real-odd (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (0a6faaf0fbf39ed9ec8797c97cb8b2486be8b84eb46bfeabc3412a3eeded4aa1)

@andrewstory18/is-real-odd impersonates the widely-used is-odd package by copying its README, author, and repository metadata verbatim, but ships an additional obfuscated payload (index.min.js) wired into package.json as a postinstall script. The payload uses an _0x string-array dispatcher to hide its behavior; once deobfuscated, it issues an http.request POST to the hardcoded bare IP 144.172.91.84 on port 3000 at path /hello. This fires automatically on npm install, establishing an attacker-controlled callback from any installer machine and enabling tracking of successful infections and staging of follow-on payloads. The destination is unrelated to the legitimate is-odd publisher (jonschlinkert) and is not a registry, CDN, or known SDK endpoint.

Database specific
{
    "malicious-packages-origins": [
        {
            "versions": [
                "2.0.3"
            ],
            "id": "IN-MAL-2026-009391",
            "import_time": "2026-07-09T20:08:40.412268597Z",
            "modified_time": "2026-07-09T19:18:33Z",
            "sha256": "0a6faaf0fbf39ed9ec8797c97cb8b2486be8b84eb46bfeabc3412a3eeded4aa1",
            "source": "amazon-inspector"
        }
    ]
}
References
Credits

Affected packages

npm / @andrewstory18/is-real-odd

Package

Name
@andrewstory18/is-real-odd
View open source insights on deps.dev
Purl
pkg:npm/%40andrewstory18/is-real-odd

Affected ranges

Affected versions

2.*
2.0.3

Database specific

indicators
{
    "evidence_files": [
        {
            "sha256": "614787a72bc97c021273d3a1595b89a98b3188548dbe24631e3f2d04659ccf4b",
            "tlsh": "b831dc3ac4240d631eec66a0ecaa404296600c579c54fe0db3af451c0f5d23f217e7ed",
            "path": "package.json"
        },
        {
            "sha256": "dc893fd986a36e166215de9af1269ee2114148e1cf62765917fd45fa9e78c36a",
            "tlsh": "12311178aad065ce07029a5f2e3be5cfd505ceb43c5a0ca9c002feb17d44a28fd92971",
            "path": "index.min.js"
        }
    ],
    "package_integrity": [
        {
            "filename": "is-real-odd-2.0.3.tgz",
            "hashes": {
                "sha512_sri": "sha512-s/t7vk9qwRZdmnRttXJ/u3mBMVl8J9feJOfuAYP3Jt1QS937wP+mKgJjJEnacBY+t0uCqB21WKcwlA6snLdC4Q==",
                "sha1": "9fea61e007ff3961c298276ddef34568b1f9a5f4"
            }
        }
    ]
}
cwes
[
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@andrewstory18/is-real-odd/MAL-2026-10093.json"