registry  /  @andrewstory18/is-real-odd  /  2.0.3

@andrewstory18/is-real-odd@2.0.3

OSV Malicious Advisory

scanned 2h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-10093 confirms this npm version as malicious. @andrewstory18/is-real-odd impersonates the widely-used is-odd package by copying its README, author, and repository metadata verbatim, but ships an additional obfuscated payload (index.min.js) wired into package.json as a postinstall script. The payload uses an _0x string-array dispatcher to hide its behavior; once deobfuscated, it issues an http.request POST to the hardcoded bare IP 144.172.91.84 on port 3000 at...

Advisory
MAL-2026-10093
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in @andrewstory18/is-real-odd (npm)
Details
@andrewstory18/is-real-odd impersonates the widely-used is-odd package by copying its README, author, and repository metadata verbatim, but ships an additional obfuscated payload (index.min.js) wired into package.json as a postinstall script. The payload uses an _0x string-array dispatcher to hide its behavior; once deobfuscated, it issues an http.request POST to the hardcoded bare IP 144.172.91.84 on port 3000 at path /hello. This fires automatically on npm install, establishing an attacker-controlled callback from any installer machine and enabling tracking of successful infections and staging of follow-on payloads. The destination is unrelated to the legitimate is-odd publisher (jonschlinkert) and is not a registry, CDN, or known SDK endpoint.
Decision reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
DynamicRequire
Supply chain
MinifiedObfuscated
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 2.31 KB of source

Source & flagged code

3 flagged · loading source
package.jsonView file
scripts.postinstall = node index.min.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
index.jsView file
9L10: const isNumber = require('is-number'); L11:
Medium
Dynamic Require

Package source references dynamic require/import behavior.

index.jsView on unpkg · L9
index.min.jsView file
1var a0_0x29d13f=a0_0xb220;(function(_0x4e46d0,_0x418f8b){var _0x3590e6=a0_0xb220,_0x1a3314=_0x4e46d0();while(!![]){try{var _0x2f78e9=parseInt(_0x3590e6(0x85))/0x1+parseInt(_0x3590e...
High
Obfuscated Payload Loader

Source contains an obfuscator-style string-array loader that reconstructs and executes hidden code.

index.min.jsView on unpkg · L1

Findings

3 High2 Medium1 Low
HighInstall Time Lifecycle Scriptspackage.json
HighObfuscated Payload Loaderindex.min.js
HighObfuscated
MediumDynamic Requireindex.js
MediumStructural Risk Force Deep Review
LowScripts Present