{"id":"MAL-2026-10496","summary":"Malicious code in bubblestring (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (d88c674968228c1d12eff609caca870ebe6d572631e15e2bdde0d0d4b7a320f9)\npackage.json declares a postinstall hook that runs the package's only code file, index.js, on every npm install. index.js is heavily obfuscated (obfuscator.io-style RC4 string array with 231 entries, two decoders, control-flow flattening). After deobfuscation, the top-level code constructs an IPv4 address by concatenating four numeric octets, performs an HTTPS request to that bare-IP host, writes the response body to a file under the OS temp directory via fs.writeFileSync, and then executes the dropped file via child_process. This is the canonical install-time remote-code-execution dropper shape: mutable attacker-controlled destination, no publisher domain, no integrity check, automatic execution under the installer's user account on `npm install`. The package metadata reinforces malicious intent — empty description, empty author, no repository or homepage, no exported functionality — and the README instructs users to install and require an unrelated package (`@array-util/subsearch`), serving as cover for a payload that has no advertised purpose.\n","modified":"2026-07-13T22:01:57.204343328Z","published":"2026-07-13T21:44:59Z","database_specific":{"malicious-packages-origins":[{"versions":["1.1.4"],"id":"IN-MAL-2026-010330","import_time":"2026-07-13T21:49:34.288626799Z","modified_time":"2026-07-13T21:44:59Z","sha256":"d88c674968228c1d12eff609caca870ebe6d572631e15e2bdde0d0d4b7a320f9","source":"amazon-inspector"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/bubblestring/v/1.1.4"}],"affected":[{"package":{"name":"bubblestring","ecosystem":"npm","purl":"pkg:npm/bubblestring"},"versions":["1.1.4"],"database_specific":{"cwes":[{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"}],"indicators":{"package_integrity":[{"hashes":{"sha1":"e86885b6807a13bca855aadeca14206eae7f6301","sha512_sri":"sha512-5dui/7hby451YflExrVr7DfO8EYKyaDicntXaxabZZ+lbcJ+xuoAKDGG2Pic02+/rb8CThxFtZwfPGUCVvngHQ=="},"filename":"bubblestring-1.1.4.tgz"}],"evidence_files":[{"path":"index.js","sha256":"b5d9d043be26b0c7c7c75f62ac9b3783541d8b126ff56b95a9c2147a6093b5d1","tlsh":"5b8275cc3bc1b0605233f07b6d1ba0a6f1a95c89b3999848f756b4e8fc64314d5b9b98"},{"sha256":"3e79b4c9ee9ff1eed8174a37c43c3f1fffa952590ff618c83e804814a0656493","tlsh":"43d02e200e211a3329c0025608aea04b62a08f2f0008380883db193cc5eea779cfe30e","path":"package.json"}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/bubblestring/MAL-2026-10496.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}