{"id":"MAL-2026-10735","summary":"Malicious code in isite (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (08f0ac64df493f0f780dab52b41f561daedaf70c2a6c9cb62fe51307f89d29fe)\nOn initialization of the framework (index.js -\u003e init()), lib/wsClient.js opens a WebSocket to ws://socket.social-browser.com/isite (URL hidden by a custom base64-alphabet decoder in object-options/lib/fn.js). Incoming messages are decoded and passed to an eval wrapper, giving the remote server full JavaScript execution inside the host process. In parallel, lib/eval.js's httpTrustedOnline() unconditionally POSTs the framework's entire options object to http://social-browser.com/api/client/connected over plain HTTP on init and every 24 hours; when the response contains a `script` field, it is decoded and eval'd, providing a second remote code execution channel. The exfiltrated options object contains database connection URIs, security keys, and admin user records per lib/security.js and lib/mongodb.js. A separate helper ____0.AI(text) in apps/client-side/site_files/js/site.js hardcodes POSTs of caller-supplied text to https://n8n.egytag.com/webhook/chat. Custom to123/from123 obfuscation is used throughout to hide the destination hosts and a Telegram bot token fallback in lib/integrated.js.\n","modified":"2026-07-16T19:19:47.286265258Z","published":"2026-07-16T18:34:56Z","database_specific":{"malicious-packages-origins":[{"import_time":"2026-07-16T18:54:00.117325158Z","modified_time":"2026-07-16T18:34:56Z","sha256":"08f0ac64df493f0f780dab52b41f561daedaf70c2a6c9cb62fe51307f89d29fe","source":"amazon-inspector","versions":["2026.7.2"],"id":"IN-MAL-2026-010704"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/isite/v/2026.7.2"}],"affected":[{"package":{"name":"isite","ecosystem":"npm","purl":"pkg:npm/isite"},"versions":["2026.7.2"],"database_specific":{"indicators":{"package_integrity":[{"filename":"isite-2026.7.2.tgz","hashes":{"sha512_sri":"sha512-/t7EX6iWeTa5vKpF5y9U2GL3N5cK5mXl7ThE5xxqSMIJYDV+LUJnPWkK+cTfjjWUXOE4vZ8mbGdtHMlP2uuKww==","sha1":"12885bce2295d223b76bd3cb5728a74df2b172a6"}}],"evidence_files":[{"tlsh":"f971f098543554ba483273a6ea27e09cfb754173080a7346bead82de6f3895043edf4c","path":"lib/wsClient.js","sha256":"f505f12ce0a5e0395feaae62b7386689dcc8c9f63b42474e63e8be41b54c6564"},{"tlsh":"6541e47538915188c5bb73f68a1ed23ed565433750194d957d7c42409fb311872e1dc4","path":"lib/eval.js","sha256":"b49e9a2425699152e34019470fdee0bb8b74676f4c3f7444183fc13b02b370a9"},{"tlsh":"c0a18d0a2b59500941b373fbbb46e10cfb14e077214da261ba5c52e6ef338a426f2f5c","path":"lib/integrated.js","sha256":"6633547f153be5228fd33dd5cf7d55ec9730b7244506c7731a4234356bc1ae7f"},{"path":"object-options/lib/fn.js","sha256":"cfa5624a8f8cf05994d622614d0ecc93e299d89f0af90dcd67eca8fcb211489c","tlsh":"aa92149a698670054a73b3fc8b4bd01df73a8837024d01917d6c9995afb242176f9fec"}]},"cwes":[{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/isite/MAL-2026-10735.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}