OSV Malicious Advisory
scanned 2h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-10524 confirms this npm version as malicious. Package is published as `@velkov/isows` while its README, repository (`wevm/isows`), description ("Isomorphic WebSocket"), and author (`jxom.eth`) impersonate the legitimate `isows` package. The legitimate upstream `utils.ts` is an 8-line `getNativeWebSocket` helper; in this package, `_cjs/utils.js` and `_esm/utils.js` append ~50KB of obfuscator.io-style payload (rotated string array `a4()`, base64+RC4 decoder...
Advisory
MAL-2026-10524
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in @velkov/isows (npm)
Details
Package is published as `@velkov/isows` while its README, repository (`wevm/isows`), description ("Isomorphic WebSocket"), and author (`jxom.eth`) impersonate the legitimate `isows` package. The legitimate upstream `utils.ts` is an 8-line `getNativeWebSocket` helper; in this package, `_cjs/utils.js` and `_esm/utils.js` append ~50KB of obfuscator.io-style payload (rotated string array `a4()`, base64+RC4 decoder `a5()`, debugger-trap class, `while(!![])` loops). The payload runs at top level whenever the package is `require`d or `import`ed (the package.json `main` is `./_cjs/index.js`, which loads `./utils.js`). Behavior: re-execs Node with a sentinel env var, dynamically loads `https`/`fs`/`os`/`child_process`/`path`/`crypto`, issues an HTTPS GET to an RC4-decoded host/path, streams the response to a hostname-derived filename under `os.tmpdir()`, validates a sha256 from a sidecar JSON fetched from the same attacker-controlled host (attacker controls both payload and verification), AES-256-GCM-decrypts the bytes with a key XOR-derived from four embedded 32-byte buffers, `chmod`s 0o755, and `spawn`s the binary `{detached:true, stdio:'ignore', windowsHide:true}` so it survives the parent process. Error-handling stubs are empty to suppress diagnostics. This is the canonical typosquat-plus-dropper supply-chain attack pattern: any installer or transitive consumer that loads `@velkov/isows` runs attacker-controlled native code on their machine.
Decision reason
OpenSSF Malicious Packages via OSV confirms @velkov/isows@1.0.10 as malicious (MAL-2026-10524): Malicious code in @velkov/isows (npm)
References
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 High
HighOsv Malicious Advisory