subsearch @1.0.3
Vulnerability report · Last retrieved from osv.dev June 25, 2026 at 10:42 AM UTC
OSV ID
MAL-2026-6457
Ecosystem
npm
Summary
The package's main entry index.js is the only file of substance and is wrapped in obfuscator.io string-array + RC4 obfuscation that hides every literal (module names, URL octets, exec arguments). On require(), the deobfuscated code assembles a bare-IP HTTP URL by concatenating four octets via .concat('.') , performs an HTTP GET, writes the response body into os.tmpdir() via fs.writeFileSync(path.join(os.tmpdir(), <name>), I.data, {flag:'w+'}) , and immediately executes the dropped file with child_process.exec(..., {windowsHide:true, cwd: os.tmpdir()}) . process.on('uncaughtException',...) is registered to suppress errors. package.json has empty description, empty author, no repository, no homepage — the package advertises no functionality; its only effect on import is the dropper. The bare-IP destination has no TLS, no pinning, and no signature verification, so the attacker can swap the executed payload at any time.
Source: amazon-inspector (04245cd013e6aa9edb766cf14249c9dd6abd19d6beb9671c22a1a8bbbff3d511)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.