OSV Malicious Advisory
scanned 2h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-10093 confirms this npm version as malicious. @andrewstory18/is-real-odd impersonates the widely-used is-odd package by copying its README, author, and repository metadata verbatim, but ships an additional obfuscated payload (index.min.js) wired into package.json as a postinstall script. The payload uses an _0x string-array dispatcher to hide its behavior; once deobfuscated, it issues an http.request POST to the hardcoded bare IP 144.172.91.84 on port 3000 at...
Decision evidence
public snapshotSource & flagged code
3 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgSource contains an obfuscator-style string-array loader that reconstructs and executes hidden code.
index.min.jsView on unpkg · L1