-= Per source details. Do not edit below this line.=-
package.json declares a postinstall hook that runs the package's only code file, index.js, on every npm install. index.js is heavily obfuscated (obfuscator.io-style RC4 string array with 231 entries, two decoders, control-flow flattening). After deobfuscation, the top-level code constructs an IPv4 address by concatenating four numeric octets, performs an HTTPS request to that bare-IP host, writes the response body to a file under the OS temp directory via fs.writeFileSync, and then executes the dropped file via child_process. This is the canonical install-time remote-code-execution dropper shape: mutable attacker-controlled destination, no publisher domain, no integrity check, automatic execution under the installer's user account on npm install. The package metadata reinforces malicious intent — empty description, empty author, no repository or homepage, no exported functionality — and the README instructs users to install and require an unrelated package (@array-util/subsearch), serving as cover for a payload that has no advertised purpose.
{
"malicious-packages-origins": [
{
"modified_time": "2026-07-13T21:44:59Z",
"versions": [
"1.1.4"
],
"sha256": "d88c674968228c1d12eff609caca870ebe6d572631e15e2bdde0d0d4b7a320f9",
"id": "IN-MAL-2026-010330",
"source": "amazon-inspector",
"import_time": "2026-07-13T21:49:34.288626799Z"
}
]
}{
"evidence_files": [
{
"tlsh": "5b8275cc3bc1b0605233f07b6d1ba0a6f1a95c89b3999848f756b4e8fc64314d5b9b98",
"sha256": "b5d9d043be26b0c7c7c75f62ac9b3783541d8b126ff56b95a9c2147a6093b5d1",
"path": "index.js"
},
{
"tlsh": "43d02e200e211a3329c0025608aea04b62a08f2f0008380883db193cc5eea779cfe30e",
"sha256": "3e79b4c9ee9ff1eed8174a37c43c3f1fffa952590ff618c83e804814a0656493",
"path": "package.json"
}
],
"package_integrity": [
{
"hashes": {
"sha1": "e86885b6807a13bca855aadeca14206eae7f6301",
"sha512_sri": "sha512-5dui/7hby451YflExrVr7DfO8EYKyaDicntXaxabZZ+lbcJ+xuoAKDGG2Pic02+/rb8CThxFtZwfPGUCVvngHQ=="
},
"filename": "bubblestring-1.1.4.tgz"
}
]
}
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/bubblestring/MAL-2026-10496.json"