MAL-2026-10176

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/uncaxss/MAL-2026-10176.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10176
Published
2026-07-10T21:24:28Z
Modified
2026-07-10T21:31:49.080051625Z
Summary
Malicious code in uncaxss (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (acda9720ae54881219c0fbcee73795be85877d292aa62662f7cb6b92e775f608)

Package ships an obfuscated dist/index.js that is invoked from the postinstall lifecycle hook (node dist/index.js). At install time, the script performs an HTTPS GET to https://onch.cc/test1.txt (and https://onch.cc/test2.txt), base64-decodes the response body, and executes it via new Function('require', decoded)(), granting the fetched code full Node.js capabilities (including require) on the installer's machine. The dropper is gated by process.env.P == 1, allowing the attacker to keep the payload dormant on incidental installers and detonate selectively (e.g., on CI runners where P is set). The fetching logic is obfuscated using javascript-obfuscator (hex identifiers, rotating string array, decoder wrapper), and the package's own build script ("obfuscate": "javascript-obfuscator./dist/index.js...") confirms obfuscation is applied deliberately before publish. The remote host onch.cc is unrelated to any documented package purpose (the package has no README), and the fetched content is opaque, mutable, and unpinned. This is a classic install-time RCE dropper with attacker-controlled remote code execution on npm install.

Database specific
{
    "malicious-packages-origins": [
        {
            "sha256": "aa3a99decf218ff512c0594cf9546d295c36215b1b573d64ba2d32c1ead49d68",
            "id": "IN-MAL-2026-009713",
            "modified_time": "2026-07-10T21:24:39Z",
            "versions": [
                "1.3.5"
            ],
            "import_time": "2026-07-10T21:26:05.979860307Z",
            "source": "amazon-inspector"
        },
        {
            "sha256": "acda9720ae54881219c0fbcee73795be85877d292aa62662f7cb6b92e775f608",
            "id": "IN-MAL-2026-009712",
            "modified_time": "2026-07-10T21:24:28Z",
            "versions": [
                "1.3.4"
            ],
            "import_time": "2026-07-10T21:26:05.888351192Z",
            "source": "amazon-inspector"
        }
    ]
}
References
Credits

Affected packages

npm / uncaxss

Package

Affected ranges

Affected versions

1.*
1.3.4
1.3.5

Database specific

indicators
{
    "evidence_files": [
        {
            "sha256": "17a2bd86b2ef8ada78ac7ccaf08ba1b595a87bc9c9acc771986ca032c77a1767",
            "tlsh": "6c418fac6f91121067428eaf783f56fee1abc57975445c8fd010aa943c11530eae2f35",
            "path": "dist/index.js"
        },
        {
            "sha256": "713ec743d2af78883fa41164546fcb16cb2ca55beb0f6e972cd6b7d690db2c53",
            "tlsh": "48f04c74cc659f2315c864d688e292ab56e29c17078cfd186385404d869e1bd88fe8be",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "filename": "uncaxss-1.3.5.tgz",
            "hashes": {
                "sha512_sri": "sha512-7CzUA8wVT2eusqovWBOyvuPxs7e8szdock8VO0ciqNeEcIoiWdAxlxfNFB9VEj2B5LK9e00iLRT4zUey7ZurDA==",
                "sha1": "8f9bc64be374ed03ec382405783092df65e091c0"
            }
        }
    ]
}
cwes
[
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/uncaxss/MAL-2026-10176.json"