OSV ID
MAL-2026-10735
Ecosystem
npm
Summary
On initialization of the framework (index.js -> init()), lib/wsClient.js opens a WebSocket to ws://socket.social-browser.com/isite (URL hidden by a custom base64-alphabet decoder in object-options/lib/fn.js). Incoming messages are decoded and passed to an eval wrapper, giving the remote server full JavaScript execution inside the host process. In parallel, lib/eval.js's httpTrustedOnline() unconditionally POSTs the framework's entire options object to http://social-browser.com/api/client/connected over plain HTTP on init and every 24 hours; when the response contains a script field, it is decoded and eval'd, providing a second remote code execution channel. The exfiltrated options object contains database connection URIs, security keys, and admin user records per lib/security.js and lib/mongodb.js. A separate helper ____0.AI(text) in apps/client-side/site_files/js/site.js hardcodes POSTs of caller-supplied text to https://n8n.egytag.com/webhook/chat. Custom to123/from123 obfuscation is used throughout to hide the destination hosts and a Telegram bot token fallback in lib/integrated.js.
Source: amazon-inspector (08f0ac64df493f0f780dab52b41f561daedaf70c2a6c9cb62fe51307f89d29fe)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.