npm

uncaxss @1.3.5

Vulnerability report · Last retrieved from osv.dev July 11, 2026 at 5:36 AM UTC

Malicious

OSV ID

MAL-2026-10176

Ecosystem

npm

Summary

Package ships an obfuscated dist/index.js that is invoked from the postinstall lifecycle hook ( node dist/index.js ). At install time, the script performs an HTTPS GET to https://onch.cc/test1.txt (and https://onch.cc/test2.txt), base64-decodes the response body, and executes it via new Function('require', decoded)() , granting the fetched code full Node.js capabilities (including require ) on the installer's machine. The dropper is gated by process.env.P == 1 , allowing the attacker to keep the payload dormant on incidental installers and detonate selectively (e.g., on CI runners where P is set). The fetching logic is obfuscated using javascript-obfuscator (hex identifiers, rotating string array, decoder wrapper), and the package's own build script ( "obfuscate": "javascript-obfuscator./dist/index.js..." ) confirms obfuscation is applied deliberately before publish. The remote host onch.cc is unrelated to any documented package purpose (the package has no README), and the fetched content is opaque, mutable, and unpinned. This is a classic install-time RCE dropper with attacker-controlled remote code execution on npm install .

Source: amazon-inspector (acda9720ae54881219c0fbcee73795be85877d292aa62662f7cb6b92e775f608)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.