MAL-2026-10109

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/validator-string/MAL-2026-10109.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10109
Published
2026-07-09T23:05:09Z
Modified
2026-07-09T23:47:00.567829728Z
Summary
Malicious code in validator-string (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (41a95b09ecd097cf7db1496950d26195169adb7ad2d8065a3458771389094be4)

Package name validator-string impersonates the widely-used npm package validator and copies its README, homepage, and API surface. package.json declares scripts.postinstall: node index.js, and main resolves to the same index.js, so the trailing obfuscated block runs both on npm install and on every require('validator-string'). The appended code uses a custom multi-stage character-shuffle routine to reconstruct the identifiers require, module, __dirname, __filename, undefined, and constructor, then hoists require/module/__dirname/__filename onto global so the decoded body has full Node.js capability. It recovers the string Function from constructor, invokes Function(argNames, decodedBody) on a large opaque encoded blob, and calls the resulting function unconditionally (Lpe(2163)). This is dynamic code construction from an obfuscated payload executed automatically on install and on load — installer-side remote/opaque code execution with full Node privileges. The typosquat name, cloned metadata, obfuscation of core Node identifiers, and auto-execution at two separate lifecycle points are collectively unambiguous.

Database specific
{
    "malicious-packages-origins": [
        {
            "sha256": "41a95b09ecd097cf7db1496950d26195169adb7ad2d8065a3458771389094be4",
            "id": "IN-MAL-2026-009594",
            "import_time": "2026-07-09T23:30:55.950850689Z",
            "modified_time": "2026-07-09T23:05:09Z",
            "versions": [
                "13.15.36"
            ],
            "source": "amazon-inspector"
        }
    ]
}
References
Credits

Affected packages

npm / validator-string

Package

Affected ranges

Affected versions

13.*
13.15.36

Database specific

indicators
{
    "evidence_files": [
        {
            "tlsh": "2a921e507afa9ca9b81477e2990eb4002955dcbc88faf146f64e80f513f6243d729f39",
            "sha256": "77403cea5fe296336fe72d8ceb707429a88d3544f5e4f3026a75c5cd43e06449",
            "path": "index.js"
        }
    ],
    "package_integrity": [
        {
            "filename": "validator-string-13.15.36.tgz",
            "hashes": {
                "sha512_sri": "sha512-bJnMSame0+65KbnXhaivsAX5SyIDvMng52bBrPEwwtLdV+6ZE60jZME9a7Eh4mSMEDKLf1A5wq+eC7G3mkIwQg==",
                "sha1": "0268c2240252729cb4fb58ccede52e3ae015a5e0"
            }
        }
    ]
}
cwes
[
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/validator-string/MAL-2026-10109.json"