OSV Malicious Advisory
scanned 14h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-10735 confirms this npm version as malicious. On initialization of the framework (index.js -> init()), lib/wsClient.js opens a WebSocket to ws://socket.social-browser.com/isite (URL hidden by a custom base64-alphabet decoder in object-options/lib/fn.js). Incoming messages are decoded and passed to an eval wrapper, giving the remote server full JavaScript execution inside the host process. In parallel, lib/eval.js's httpTrustedOnline() unconditionally POSTs the...
Decision evidence
public snapshotSource & flagged code
7 flagged · loading sourcePackage source references a known benign dynamic code generation pattern.
isite_files/js/angular.jsView on unpkg · L193Package ships high-entropy non-source blobs.
isite_files/fonts/glyphicons-halflings-regular.woffView on unpkg