MAL-2026-10735

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/isite/MAL-2026-10735.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10735
Published
2026-07-16T18:34:56Z
Modified
2026-07-16T19:19:47.286265258Z
Summary
Malicious code in isite (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (08f0ac64df493f0f780dab52b41f561daedaf70c2a6c9cb62fe51307f89d29fe)

On initialization of the framework (index.js -> init()), lib/wsClient.js opens a WebSocket to ws://socket.social-browser.com/isite (URL hidden by a custom base64-alphabet decoder in object-options/lib/fn.js). Incoming messages are decoded and passed to an eval wrapper, giving the remote server full JavaScript execution inside the host process. In parallel, lib/eval.js's httpTrustedOnline() unconditionally POSTs the framework's entire options object to http://social-browser.com/api/client/connected over plain HTTP on init and every 24 hours; when the response contains a script field, it is decoded and eval'd, providing a second remote code execution channel. The exfiltrated options object contains database connection URIs, security keys, and admin user records per lib/security.js and lib/mongodb.js. A separate helper ___0.AI(text) in apps/client-side/sitefiles/js/site.js hardcodes POSTs of caller-supplied text to https://n8n.egytag.com/webhook/chat. Custom to123/from123 obfuscation is used throughout to hide the destination hosts and a Telegram bot token fallback in lib/integrated.js.

Database specific
{
    "malicious-packages-origins": [
        {
            "versions": [
                "2026.7.2"
            ],
            "sha256": "08f0ac64df493f0f780dab52b41f561daedaf70c2a6c9cb62fe51307f89d29fe",
            "import_time": "2026-07-16T18:54:00.117325158Z",
            "modified_time": "2026-07-16T18:34:56Z",
            "id": "IN-MAL-2026-010704",
            "source": "amazon-inspector"
        }
    ]
}
References
Credits

Affected packages

npm / isite

Package

Affected ranges

Affected versions

2026.*
2026.7.2

Database specific

cwes
[
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
indicators
{
    "package_integrity": [
        {
            "filename": "isite-2026.7.2.tgz",
            "hashes": {
                "sha1": "12885bce2295d223b76bd3cb5728a74df2b172a6",
                "sha512_sri": "sha512-/t7EX6iWeTa5vKpF5y9U2GL3N5cK5mXl7ThE5xxqSMIJYDV+LUJnPWkK+cTfjjWUXOE4vZ8mbGdtHMlP2uuKww=="
            }
        }
    ],
    "evidence_files": [
        {
            "tlsh": "f971f098543554ba483273a6ea27e09cfb754173080a7346bead82de6f3895043edf4c",
            "sha256": "f505f12ce0a5e0395feaae62b7386689dcc8c9f63b42474e63e8be41b54c6564",
            "path": "lib/wsClient.js"
        },
        {
            "tlsh": "6541e47538915188c5bb73f68a1ed23ed565433750194d957d7c42409fb311872e1dc4",
            "sha256": "b49e9a2425699152e34019470fdee0bb8b74676f4c3f7444183fc13b02b370a9",
            "path": "lib/eval.js"
        },
        {
            "tlsh": "c0a18d0a2b59500941b373fbbb46e10cfb14e077214da261ba5c52e6ef338a426f2f5c",
            "sha256": "6633547f153be5228fd33dd5cf7d55ec9730b7244506c7731a4234356bc1ae7f",
            "path": "lib/integrated.js"
        },
        {
            "tlsh": "aa92149a698670054a73b3fc8b4bd01df73a8837024d01917d6c9995afb242176f9fec",
            "sha256": "cfa5624a8f8cf05994d622614d0ecc93e299d89f0af90dcd67eca8fcb211489c",
            "path": "object-options/lib/fn.js"
        }
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/isite/MAL-2026-10735.json"