MAL-2026-5930

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/bubblestr/MAL-2026-5930.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5930

Published

2026-06-16T22:22:20Z

Modified

2026-06-16T23:16:57.562660202Z

Summary

Malicious code in bubblestr (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (7831cb93037b6f364e2174f6d4fb64b38bac958e54f3653b8a70810681972172)

package.json declares "postinstall": "node index.js", and index.js is a heavily obfuscated single-file script (RC4+base64 string-array with rotating shift and two decoder wrappers). After deobfuscation, the postinstall body performs an HTTP GET to a built URL, writes the response body to a file under os.tmpdir() using fs.writeFileSync(..., {flag:'w+'}), and immediately executes the dropped file via child_process.exec(path, {windowsHide:true, cwd: process.cwd()}). This fires automatically on npm install with no user interaction and lands attacker-controlled bytes on the installer's machine. Author and description fields are empty, the obfuscation has no legitimate justification for a 'utility' package, and the README contradicts the published name by instructing users to install/require @array-util/subsearch — a name-confusion lure designed to harvest installs while hiding under a different documented identity. The combination of install-time remote fetch-and-exec, obfuscation intent to evade scanners, and identity mismatch is a textbook supply-chain dropper.

Database specific

{
    "malicious-packages-origins": [
        {
            "sha256": "7831cb93037b6f364e2174f6d4fb64b38bac958e54f3653b8a70810681972172",
            "source": "amazon-inspector",
            "modified_time": "2026-06-16T22:22:20Z",
            "versions": [
                "1.1.4"
            ],
            "id": "IN-MAL-2026-006849",
            "import_time": "2026-06-16T23:03:43.764328533Z"
        }
    ]
}

References

https://www.npmjs.com/package/bubblestr/v/1.1.4

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / bubblestr

Package

Name: bubblestr; View open source insights on deps.dev
Purl: pkg:npm/bubblestr

Affected ranges

Affected versions

1.*

1.1.4

Database specific

cwes

[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/bubblestr/MAL-2026-5930.json"

indicators

{
    "evidence_files": [
        {
            "sha256": "19e0f7def6781dd59eb6d2f5f6a19cba7b2cb68db3e585dbf99cd9e3b51e1e93",
            "tlsh": "379275cc3bc2f0b05233f0bb6a1b60a6f5b95c4ca3499848f797f0a8f968314d556b64",
            "path": "index.js"
        },
        {
            "sha256": "b483859ffa6b9e105f21b45694fa1b8b363e8f90429de4d420473f1dc3b49284",
            "tlsh": "ceb0124dc64353b9266126f87619288ef231cc059502084070c75cf40bc1cd0b28106e",
            "path": "README.md"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-qG0hul/6x2SqhsweHgsRt0G8dtbe+Fgv3xbx6MtXj3OuXKlHDYHf5OF/Q6DRPllycjmdODbj1kaEmGXwNY3OWw==",
                "sha1": "c6917b4c1740b531704859fd0efda9466585fca8"
            },
            "filename": "bubblestr-1.1.4.tgz"
        }
    ]
}