registry  /  isite  /  2026.7.2

isite@2026.7.2

Create High Level Multi-Language Web Site [Fast and Easy]

OSV Malicious Advisory

scanned 14h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-10735 confirms this npm version as malicious. On initialization of the framework (index.js -> init()), lib/wsClient.js opens a WebSocket to ws://socket.social-browser.com/isite (URL hidden by a custom base64-alphabet decoder in object-options/lib/fn.js). Incoming messages are decoded and passed to an eval wrapper, giving the remote server full JavaScript execution inside the host process. In parallel, lib/eval.js's httpTrustedOnline() unconditionally POSTs the...

Advisory
MAL-2026-10735
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in isite (npm)
Details
On initialization of the framework (index.js -> init()), lib/wsClient.js opens a WebSocket to ws://socket.social-browser.com/isite (URL hidden by a custom base64-alphabet decoder in object-options/lib/fn.js). Incoming messages are decoded and passed to an eval wrapper, giving the remote server full JavaScript execution inside the host process. In parallel, lib/eval.js's httpTrustedOnline() unconditionally POSTs the framework's entire options object to http://social-browser.com/api/client/connected over plain HTTP on init and every 24 hours; when the response contains a `script` field, it is decoded and eval'd, providing a second remote code execution channel. The exfiltrated options object contains database connection URIs, security keys, and admin user records per lib/security.js and lib/mongodb.js. A separate helper ____0.AI(text) in apps/client-side/site_files/js/site.js hardcodes POSTs of caller-supplied text to https://n8n.egytag.com/webhook/chat. Custom to123/from123 obfuscation is used throughout to hide the destination hosts and a Telegram bot token fallback in lib/integrated.js.
Decision reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEvalFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedProtestwareTelemetryUrlStrings
Manifest
NoLicense
scanned 102 file(s), 6.29 MB of source, external domains: 127.0.0.1, datatracker.ietf.org, docs.angularjs.org, docs.oasis-open.org, egytag.com, emails.egytag.com, errors.angularjs.org, example.com, git.io, github.com, img.youtube.com, momentjs.com, n8n.egytag.com, openoffice.org, popper.js.org, purl.oclc.org, purl.org, schemas.microsoft.com, schemas.openxmlformats.org, sheetjs.openxmlformats.org, social-browser.com, stackoverflow.com, tools.ietf.org, translate.googleapis.com, vjs.zencdn.net, www.w3.org, www.youtube-nocookie.com, www.youtube.com

Source & flagged code

7 flagged · loading source
ssl/key.pemView file
1patternName = private_key_rsa severity = critical line = 1 matchedText = -----BEG...----
Critical
Critical Secret

Package contains a critical-looking secret pattern.

ssl/key.pemView on unpkg · L1
1patternName = private_key_rsa severity = critical line = 1 matchedText = -----BEG...----
Critical
Secret Pattern

RSA private key in ssl/key.pem

ssl/key.pemView on unpkg · L1
isite_files/js/angular.jsView file
193N=function(a){return C(a)?a.toLowerCase():a},wb=function(a){return C(a)?a.toUpperCase():a},Ba,z,ta,xa=[].slice,vg=[].splice,Xg=[].push,la=Object.prototype.toString,Oc=Object.getPro... L194: "\\$1").replace(/\x08/g,"\\x08")},Ja=function(){if(!t(Ja.rules)){var a=x.document.querySelector("[ng-csp]")||x.document.querySelector("[data-ng-csp]");if(a){var b=a.getAttribute("n... L195: c,e;for(b=0;b<d;++b)if(c=Na[b],a=x.document.querySelector("["+c.replace(":","\\:")+"jq]")){e=a.getAttribute(c+"jq");break}return tb.name_=e},ve=/:/g,Na=["ng-","data-ng-","ng:","x-n...
Low
Eval

Package source references a known benign dynamic code generation pattern.

isite_files/js/angular.jsView on unpkg · L193
proxy.jsView file
1const webServer = require('./index')({ name: 'Local Proxy', apps: false, mongodb: { enabled: false }, require: { features: [] } }); L2:
Medium
Dynamic Require

Package source references dynamic require/import behavior.

proxy.jsView on unpkg · L1
push.batView file
path = push.bat kind = build_helper sizeBytes = 56 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

push.batView on unpkg
isite_files/fonts/glyphicons-halflings-regular.woffView file
path = isite_files/fonts/glyphicons-halflings-regular.woff kind = high_entropy_blob sizeBytes = 23424 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

isite_files/fonts/glyphicons-halflings-regular.woffView on unpkg
README.mdView file
139patternName = generic_password severity = medium line = 139 matchedText = password...rd',
Medium
Secret Pattern

Hardcoded password in README.md

README.mdView on unpkg · L139

Findings

2 Critical2 High6 Medium7 Low
CriticalCritical Secretssl/key.pem
CriticalSecret Patternssl/key.pem
HighObfuscated
HighShips High Entropy Blobisite_files/fonts/glyphicons-halflings-regular.woff
MediumDynamic Requireproxy.js
MediumNetwork
MediumProtestware
MediumShips Build Helperpush.bat
MediumStructural Risk Force Deep Review
MediumSecret PatternREADME.md
LowScripts Present
LowEvalisite_files/js/angular.js
LowFilesystem
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings
LowNo License