-= Per source details. Do not edit below this line.=-
http-ws-listener@1.0.5 ships misc/configFetcher.js, which reconstructs a hidden Pastebin URL and the module names 'net' and 'childprocess' by triple-base64-decoding a Lorem-ipsum string literal and indexing characters through a numeric array. When the package's advertised entrypoint startWebSocketServer() is called, fetchConfig() retrieves colon-separated handles from the paste, dynamically imports the built-in net and childprocess modules, invokes child_process.exec on a second remote-fetched string, opens a TCP socket to a host:port also carried in the paste, and pipes that socket into the child process's stdin, stdout, and stderr. The result is an interactive reverse shell on the machine running the package, driven by content that the paste author can mutate at any time. The obfuscation (triple base64 plus character-index reconstruction) exists to hide the C2 URL and the built-in module names from static inspection.
{
"malicious-packages-origins": [
{
"source": "amazon-inspector",
"id": "IN-MAL-2026-010564",
"import_time": "2026-07-14T20:52:50.020277685Z",
"sha256": "2b70acc8a626218c5855ef656a6945f1f2018c0ff62c112d9b31bae5016fae49",
"versions": [
"1.0.5"
],
"modified_time": "2026-07-14T20:29:55Z"
}
]
}"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/http-ws-listener/MAL-2026-10623.json"
[
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
}
]
{
"package_integrity": [
{
"filename": "http-ws-listener-1.0.5.tgz",
"hashes": {
"sha512_sri": "sha512-G4ILhI5Ac9v2kMrP1lnfrgu1lWBkHh6cMSy93MdOzi1Uo7sSaFS3fSRQrJEVr90sMk75CmxLFYrvyQjfgzg4zQ==",
"sha1": "de00a0854ea9791c883cf40b5303b97a4ecbae15"
}
}
],
"evidence_files": [
{
"path": "misc/configFetcher.js",
"sha256": "9f815f5c096d28547abcccdc9f8c341a3fbfec4f751b76843a12aeee23fb9a88",
"tlsh": "a5226d447dfe64b1eb91b246c69bec0931c183863956e4c5fa2c83450fbf905c64b6c7"
}
]
}