-= Per source details. Do not edit below this line.=-
Package name validator-string impersonates the widely-used npm package validator and copies its README, homepage, and API surface. package.json declares scripts.postinstall: node index.js, and main resolves to the same index.js, so the trailing obfuscated block runs both on npm install and on every require('validator-string'). The appended code uses a custom multi-stage character-shuffle routine to reconstruct the identifiers require, module, __dirname, __filename, undefined, and constructor, then hoists require/module/__dirname/__filename onto global so the decoded body has full Node.js capability. It recovers the string Function from constructor, invokes Function(argNames, decodedBody) on a large opaque encoded blob, and calls the resulting function unconditionally (Lpe(2163)). This is dynamic code construction from an obfuscated payload executed automatically on install and on load — installer-side remote/opaque code execution with full Node privileges. The typosquat name, cloned metadata, obfuscation of core Node identifiers, and auto-execution at two separate lifecycle points are collectively unambiguous.
{
"malicious-packages-origins": [
{
"sha256": "41a95b09ecd097cf7db1496950d26195169adb7ad2d8065a3458771389094be4",
"id": "IN-MAL-2026-009594",
"import_time": "2026-07-09T23:30:55.950850689Z",
"modified_time": "2026-07-09T23:05:09Z",
"versions": [
"13.15.36"
],
"source": "amazon-inspector"
}
]
}{
"evidence_files": [
{
"tlsh": "2a921e507afa9ca9b81477e2990eb4002955dcbc88faf146f64e80f513f6243d729f39",
"sha256": "77403cea5fe296336fe72d8ceb707429a88d3544f5e4f3026a75c5cd43e06449",
"path": "index.js"
}
],
"package_integrity": [
{
"filename": "validator-string-13.15.36.tgz",
"hashes": {
"sha512_sri": "sha512-bJnMSame0+65KbnXhaivsAX5SyIDvMng52bBrPEwwtLdV+6ZE60jZME9a7Eh4mSMEDKLf1A5wq+eC7G3mkIwQg==",
"sha1": "0268c2240252729cb4fb58ccede52e3ae015a5e0"
}
}
]
}
[
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
}
]
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/validator-string/MAL-2026-10109.json"