OSV Malicious Advisory
scanned 2h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-10402 confirms this npm version as malicious. The package publishes under scope `@gleamkit/ws` while copying the `ws` package's description, homepage, repository, author, and README verbatim, and bundling the legitimate `ws` source so it appears functional. Appended to `lib/websocket.js` after the copied WebSocket implementation is a heavily obfuscated payload (base64+RC4 string decoder over a ~700-entry rotated string array, hex-named identifiers, duplicated...
Advisory
MAL-2026-10402
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in @gleamkit/ws (npm)
Details
The package publishes under scope `@gleamkit/ws` while copying the `ws` package's description, homepage, repository, author, and README verbatim, and bundling the legitimate `ws` source so it appears functional. Appended to `lib/websocket.js` after the copied WebSocket implementation is a heavily obfuscated payload (base64+RC4 string decoder over a ~700-entry rotated string array, hex-named identifiers, duplicated as two sequential IIFEs) that reconstructs hostnames, paths, environment keys, and spawn arguments at runtime. On every load — `index.js` (main) and `wrapper.mjs` both pull in `./lib/websocket` — the payload issues an HTTPS request to fetch an external binary, AES-256-GCM decrypts it, writes it under `os.tmpdir()`, chmods it to 0o755, and spawns it as a detached, `unref()`ed child process with `windowsHide:true`, then calls `process.exit`. A marker env variable gate (`process.env[d]!== e`) is used to avoid re-entry. Because require/import is the trigger, any project that installs and loads `@gleamkit/ws` executes attacker-controlled bytes fetched from a remote host at load time.
Decision reason
OpenSSF Malicious Packages via OSV confirms @gleamkit/ws@8.21.3 as malicious (MAL-2026-10402): Malicious code in @gleamkit/ws (npm)
References
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 High
HighOsv Malicious Advisory