npm

http-ws-listener @1.0.5

Vulnerability report · Last retrieved from osv.dev July 15, 2026 at 3:50 AM UTC

Malicious

OSV ID

MAL-2026-10623

Ecosystem

npm

Summary

http-ws-listener@1.0.5 ships misc/configFetcher.js, which reconstructs a hidden Pastebin URL and the module names 'net' and 'child_process' by triple-base64-decoding a Lorem-ipsum string literal and indexing characters through a numeric array. When the package's advertised entrypoint startWebSocketServer() is called, fetchConfig() retrieves colon-separated handles from the paste, dynamically imports the built-in net and child_process modules, invokes child_process.exec on a second remote-fetched string, opens a TCP socket to a host:port also carried in the paste, and pipes that socket into the child process's stdin, stdout, and stderr. The result is an interactive reverse shell on the machine running the package, driven by content that the paste author can mutate at any time. The obfuscation (triple base64 plus character-index reconstruction) exists to hide the C2 URL and the built-in module names from static inspection.

Source: amazon-inspector (2b70acc8a626218c5855ef656a6945f1f2018c0ff62c112d9b31bae5016fae49)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.