MAL-2026-10496

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/bubblestring/MAL-2026-10496.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10496
Published
2026-07-13T21:44:59Z
Modified
2026-07-13T22:01:57.204343328Z
Summary
Malicious code in bubblestring (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (d88c674968228c1d12eff609caca870ebe6d572631e15e2bdde0d0d4b7a320f9)

package.json declares a postinstall hook that runs the package's only code file, index.js, on every npm install. index.js is heavily obfuscated (obfuscator.io-style RC4 string array with 231 entries, two decoders, control-flow flattening). After deobfuscation, the top-level code constructs an IPv4 address by concatenating four numeric octets, performs an HTTPS request to that bare-IP host, writes the response body to a file under the OS temp directory via fs.writeFileSync, and then executes the dropped file via child_process. This is the canonical install-time remote-code-execution dropper shape: mutable attacker-controlled destination, no publisher domain, no integrity check, automatic execution under the installer's user account on npm install. The package metadata reinforces malicious intent — empty description, empty author, no repository or homepage, no exported functionality — and the README instructs users to install and require an unrelated package (@array-util/subsearch), serving as cover for a payload that has no advertised purpose.

Database specific
{
    "malicious-packages-origins": [
        {
            "modified_time": "2026-07-13T21:44:59Z",
            "versions": [
                "1.1.4"
            ],
            "sha256": "d88c674968228c1d12eff609caca870ebe6d572631e15e2bdde0d0d4b7a320f9",
            "id": "IN-MAL-2026-010330",
            "source": "amazon-inspector",
            "import_time": "2026-07-13T21:49:34.288626799Z"
        }
    ]
}
References
Credits

Affected packages

npm / bubblestring

Package

Affected ranges

Affected versions

1.*
1.1.4

Database specific

indicators
{
    "evidence_files": [
        {
            "tlsh": "5b8275cc3bc1b0605233f07b6d1ba0a6f1a95c89b3999848f756b4e8fc64314d5b9b98",
            "sha256": "b5d9d043be26b0c7c7c75f62ac9b3783541d8b126ff56b95a9c2147a6093b5d1",
            "path": "index.js"
        },
        {
            "tlsh": "43d02e200e211a3329c0025608aea04b62a08f2f0008380883db193cc5eea779cfe30e",
            "sha256": "3e79b4c9ee9ff1eed8174a37c43c3f1fffa952590ff618c83e804814a0656493",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha1": "e86885b6807a13bca855aadeca14206eae7f6301",
                "sha512_sri": "sha512-5dui/7hby451YflExrVr7DfO8EYKyaDicntXaxabZZ+lbcJ+xuoAKDGG2Pic02+/rb8CThxFtZwfPGUCVvngHQ=="
            },
            "filename": "bubblestring-1.1.4.tgz"
        }
    ]
}
cwes
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/bubblestring/MAL-2026-10496.json"