{"id":"MAL-2026-10093","summary":"Malicious code in @andrewstory18/is-real-odd (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (0a6faaf0fbf39ed9ec8797c97cb8b2486be8b84eb46bfeabc3412a3eeded4aa1)\n@andrewstory18/is-real-odd impersonates the widely-used is-odd package by copying its README, author, and repository metadata verbatim, but ships an additional obfuscated payload (index.min.js) wired into package.json as a postinstall script. The payload uses an _0x string-array dispatcher to hide its behavior; once deobfuscated, it issues an http.request POST to the hardcoded bare IP 144.172.91.84 on port 3000 at path /hello. This fires automatically on npm install, establishing an attacker-controlled callback from any installer machine and enabling tracking of successful infections and staging of follow-on payloads. The destination is unrelated to the legitimate is-odd publisher (jonschlinkert) and is not a registry, CDN, or known SDK endpoint.\n","modified":"2026-07-09T20:16:49.730814494Z","published":"2026-07-09T19:18:33Z","database_specific":{"malicious-packages-origins":[{"versions":["2.0.3"],"modified_time":"2026-07-09T19:18:33Z","sha256":"0a6faaf0fbf39ed9ec8797c97cb8b2486be8b84eb46bfeabc3412a3eeded4aa1","source":"amazon-inspector","id":"IN-MAL-2026-009391","import_time":"2026-07-09T20:08:40.412268597Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/@andrewstory18/is-real-odd/v/2.0.3"}],"affected":[{"package":{"name":"@andrewstory18/is-real-odd","ecosystem":"npm","purl":"pkg:npm/%40andrewstory18/is-real-odd"},"versions":["2.0.3"],"database_specific":{"indicators":{"evidence_files":[{"path":"package.json","tlsh":"b831dc3ac4240d631eec66a0ecaa404296600c579c54fe0db3af451c0f5d23f217e7ed","sha256":"614787a72bc97c021273d3a1595b89a98b3188548dbe24631e3f2d04659ccf4b"},{"path":"index.min.js","tlsh":"12311178aad065ce07029a5f2e3be5cfd505ceb43c5a0ca9c002feb17d44a28fd92971","sha256":"dc893fd986a36e166215de9af1269ee2114148e1cf62765917fd45fa9e78c36a"}],"package_integrity":[{"hashes":{"sha512_sri":"sha512-s/t7vk9qwRZdmnRttXJ/u3mBMVl8J9feJOfuAYP3Jt1QS937wP+mKgJjJEnacBY+t0uCqB21WKcwlA6snLdC4Q==","sha1":"9fea61e007ff3961c298276ddef34568b1f9a5f4"},"filename":"is-real-odd-2.0.3.tgz"}]},"cwes":[{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@andrewstory18/is-real-odd/MAL-2026-10093.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}