bubblestring @1.1.4
Vulnerability report · Last retrieved from osv.dev July 14, 2026 at 5:45 AM UTC
OSV ID
MAL-2026-10496
Ecosystem
npm
Summary
package.json declares a postinstall hook that runs the package's only code file, index.js, on every npm install. index.js is heavily obfuscated (obfuscator.io-style RC4 string array with 231 entries, two decoders, control-flow flattening). After deobfuscation, the top-level code constructs an IPv4 address by concatenating four numeric octets, performs an HTTPS request to that bare-IP host, writes the response body to a file under the OS temp directory via fs.writeFileSync, and then executes the dropped file via child_process. This is the canonical install-time remote-code-execution dropper shape: mutable attacker-controlled destination, no publisher domain, no integrity check, automatic execution under the installer's user account on npm install . The package metadata reinforces malicious intent — empty description, empty author, no repository or homepage, no exported functionality — and the README instructs users to install and require an unrelated package ( @array-util/subsearch ), serving as cover for a payload that has no advertised purpose.
Source: amazon-inspector (d88c674968228c1d12eff609caca870ebe6d572631e15e2bdde0d0d4b7a320f9)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.