{"id":"MAL-2026-5930","summary":"Malicious code in bubblestr (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (7831cb93037b6f364e2174f6d4fb64b38bac958e54f3653b8a70810681972172)\npackage.json declares `\"postinstall\": \"node index.js\"`, and index.js is a heavily obfuscated single-file script (RC4+base64 string-array with rotating shift and two decoder wrappers). After deobfuscation, the postinstall body performs an HTTP GET to a built URL, writes the response body to a file under `os.tmpdir()` using `fs.writeFileSync(..., {flag:'w+'})`, and immediately executes the dropped file via `child_process.exec(path, {windowsHide:true, cwd: process.cwd()})`. This fires automatically on `npm install` with no user interaction and lands attacker-controlled bytes on the installer's machine. Author and description fields are empty, the obfuscation has no legitimate justification for a 'utility' package, and the README contradicts the published name by instructing users to install/require `@array-util/subsearch` — a name-confusion lure designed to harvest installs while hiding under a different documented identity. The combination of install-time remote fetch-and-exec, obfuscation intent to evade scanners, and identity mismatch is a textbook supply-chain dropper.\n","modified":"2026-06-16T23:16:57.562660202Z","published":"2026-06-16T22:22:20Z","database_specific":{"malicious-packages-origins":[{"versions":["1.1.4"],"sha256":"7831cb93037b6f364e2174f6d4fb64b38bac958e54f3653b8a70810681972172","id":"IN-MAL-2026-006849","source":"amazon-inspector","import_time":"2026-06-16T23:03:43.764328533Z","modified_time":"2026-06-16T22:22:20Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/bubblestr/v/1.1.4"}],"affected":[{"package":{"name":"bubblestr","ecosystem":"npm","purl":"pkg:npm/bubblestr"},"versions":["1.1.4"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/bubblestr/MAL-2026-5930.json","cwes":[{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"}],"indicators":{"evidence_files":[{"sha256":"19e0f7def6781dd59eb6d2f5f6a19cba7b2cb68db3e585dbf99cd9e3b51e1e93","path":"index.js","tlsh":"379275cc3bc2f0b05233f0bb6a1b60a6f5b95c4ca3499848f797f0a8f968314d556b64"},{"path":"README.md","sha256":"b483859ffa6b9e105f21b45694fa1b8b363e8f90429de4d420473f1dc3b49284","tlsh":"ceb0124dc64353b9266126f87619288ef231cc059502084070c75cf40bc1cd0b28106e"}],"package_integrity":[{"filename":"bubblestr-1.1.4.tgz","hashes":{"sha512_sri":"sha512-qG0hul/6x2SqhsweHgsRt0G8dtbe+Fgv3xbx6MtXj3OuXKlHDYHf5OF/Q6DRPllycjmdODbj1kaEmGXwNY3OWw==","sha1":"c6917b4c1740b531704859fd0efda9466585fca8"}}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}