registry  /  bubblestring  /  1.1.4

bubblestring@1.1.4

OSV Malicious Advisory

scanned 3h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-10496 confirms this npm version as malicious. package.json declares a postinstall hook that runs the package's only code file, index.js, on every npm install. index.js is heavily obfuscated (obfuscator.io-style RC4 string array with 231 entries, two decoders, control-flow flattening)...

Advisory
MAL-2026-10496
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in bubblestring (npm)
Details
package.json declares a postinstall hook that runs the package's only code file, index.js, on every npm install. index.js is heavily obfuscated (obfuscator.io-style RC4 string array with 231 entries, two decoders, control-flow flattening). After deobfuscation, the top-level code constructs an IPv4 address by concatenating four numeric octets, performs an HTTPS request to that bare-IP host, writes the response body to a file under the OS temp directory via fs.writeFileSync, and then executes the dropped file via child_process. This is the canonical install-time remote-code-execution dropper shape: mutable attacker-controlled destination, no publisher domain, no integrity check, automatic execution under the installer's user account on `npm install`. The package metadata reinforces malicious intent — empty description, empty author, no repository or homepage, no exported functionality — and the README instructs users to install and require an unrelated package (`@array-util/subsearch`), serving as cover for a payload that has no advertised purpose.
Decision reason
OpenSSF Malicious Packages via OSV confirms bubblestring@1.1.4 as malicious (MAL-2026-10496): Malicious code in bubblestring (npm)

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

1 High
HighOsv Malicious Advisory