validator-string @13.15.36
Vulnerability report · Last retrieved from osv.dev July 10, 2026 at 1:30 AM UTC
OSV ID
MAL-2026-10109
Ecosystem
npm
Summary
Package name validator-string impersonates the widely-used npm package validator and copies its README, homepage, and API surface. package.json declares scripts.postinstall: node index.js , and main resolves to the same index.js , so the trailing obfuscated block runs both on npm install and on every require('validator-string') . The appended code uses a custom multi-stage character-shuffle routine to reconstruct the identifiers require , module , __dirname , __filename , undefined , and constructor , then hoists require / module / __dirname / __filename onto global so the decoded body has full Node.js capability. It recovers the string Function from constructor , invokes Function(argNames, decodedBody) on a large opaque encoded blob, and calls the resulting function unconditionally ( Lpe(2163) ). This is dynamic code construction from an obfuscated payload executed automatically on install and on load — installer-side remote/opaque code execution with full Node privileges. The typosquat name, cloned metadata, obfuscation of core Node identifiers, and auto-execution at two separate lifecycle points are collectively unambiguous.
Source: amazon-inspector (41a95b09ecd097cf7db1496950d26195169adb7ad2d8065a3458771389094be4)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.