{"id":"MAL-2026-10109","summary":"Malicious code in validator-string (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (41a95b09ecd097cf7db1496950d26195169adb7ad2d8065a3458771389094be4)\nPackage name `validator-string` impersonates the widely-used npm package `validator` and copies its README, homepage, and API surface. `package.json` declares `scripts.postinstall: node index.js`, and `main` resolves to the same `index.js`, so the trailing obfuscated block runs both on `npm install` and on every `require('validator-string')`. The appended code uses a custom multi-stage character-shuffle routine to reconstruct the identifiers `require`, `module`, `__dirname`, `__filename`, `undefined`, and `constructor`, then hoists `require`/`module`/`__dirname`/`__filename` onto `global` so the decoded body has full Node.js capability. It recovers the string `Function` from `constructor`, invokes `Function(argNames, decodedBody)` on a large opaque encoded blob, and calls the resulting function unconditionally (`Lpe(2163)`). This is dynamic code construction from an obfuscated payload executed automatically on install and on load — installer-side remote/opaque code execution with full Node privileges. The typosquat name, cloned metadata, obfuscation of core Node identifiers, and auto-execution at two separate lifecycle points are collectively unambiguous.\n","modified":"2026-07-09T23:47:00.567829728Z","published":"2026-07-09T23:05:09Z","database_specific":{"malicious-packages-origins":[{"import_time":"2026-07-09T23:30:55.950850689Z","id":"IN-MAL-2026-009594","sha256":"41a95b09ecd097cf7db1496950d26195169adb7ad2d8065a3458771389094be4","versions":["13.15.36"],"modified_time":"2026-07-09T23:05:09Z","source":"amazon-inspector"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/validator-string/v/13.15.36"}],"affected":[{"package":{"name":"validator-string","ecosystem":"npm","purl":"pkg:npm/validator-string"},"versions":["13.15.36"],"database_specific":{"cwes":[{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/validator-string/MAL-2026-10109.json","indicators":{"evidence_files":[{"tlsh":"2a921e507afa9ca9b81477e2990eb4002955dcbc88faf146f64e80f513f6243d729f39","path":"index.js","sha256":"77403cea5fe296336fe72d8ceb707429a88d3544f5e4f3026a75c5cd43e06449"}],"package_integrity":[{"filename":"validator-string-13.15.36.tgz","hashes":{"sha1":"0268c2240252729cb4fb58ccede52e3ae015a5e0","sha512_sri":"sha512-bJnMSame0+65KbnXhaivsAX5SyIDvMng52bBrPEwwtLdV+6ZE60jZME9a7Eh4mSMEDKLf1A5wq+eC7G3mkIwQg=="}}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}