OSV ID
MAL-2026-10176
Ecosystem
npm
Summary
Package ships an obfuscated dist/index.js that is invoked from the postinstall lifecycle hook ( node dist/index.js ). At install time, the script performs an HTTPS GET to https://onch.cc/test1.txt (and https://onch.cc/test2.txt), base64-decodes the response body, and executes it via new Function('require', decoded)() , granting the fetched code full Node.js capabilities (including require ) on the installer's machine. The dropper is gated by process.env.P == 1 , allowing the attacker to keep the payload dormant on incidental installers and detonate selectively (e.g., on CI runners where P is set). The fetching logic is obfuscated using javascript-obfuscator (hex identifiers, rotating string array, decoder wrapper), and the package's own build script ( "obfuscate": "javascript-obfuscator./dist/index.js..." ) confirms obfuscation is applied deliberately before publish. The remote host onch.cc is unrelated to any documented package purpose (the package has no README), and the fetched content is opaque, mutable, and unpinned. This is a classic install-time RCE dropper with attacker-controlled remote code execution on npm install .
Source: amazon-inspector (acda9720ae54881219c0fbcee73795be85877d292aa62662f7cb6b92e775f608)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.