OSV Malicious Advisory
scanned 3h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-10176 confirms this npm version as malicious. Package ships an obfuscated dist/index.js that is invoked from the postinstall lifecycle hook (`node dist/index.js`). At install time, the script performs an HTTPS GET to https://onch.cc/test1.txt (and https://onch.cc/test2.txt), base64-decodes the response body, and executes it via `new Function('require', decoded)()`, granting the fetched code full Node.js capabilities (including `require`) on the installer's...
Advisory
MAL-2026-10176
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in uncaxss (npm)
Details
Package ships an obfuscated dist/index.js that is invoked from the postinstall lifecycle hook (`node dist/index.js`). At install time, the script performs an HTTPS GET to https://onch.cc/test1.txt (and https://onch.cc/test2.txt), base64-decodes the response body, and executes it via `new Function('require', decoded)()`, granting the fetched code full Node.js capabilities (including `require`) on the installer's machine. The dropper is gated by `process.env.P == 1`, allowing the attacker to keep the payload dormant on incidental installers and detonate selectively (e.g., on CI runners where P is set). The fetching logic is obfuscated using javascript-obfuscator (hex identifiers, rotating string array, decoder wrapper), and the package's own build script (`"obfuscate": "javascript-obfuscator./dist/index.js..."`) confirms obfuscation is applied deliberately before publish. The remote host onch.cc is unrelated to any documented package purpose (the package has no README), and the fetched content is opaque, mutable, and unpinned. This is a classic install-time RCE dropper with attacker-controlled remote code execution on `npm install`.
Decision reason
OpenSSF Malicious Packages via OSV confirms uncaxss@1.3.4 as malicious (MAL-2026-10176): Malicious code in uncaxss (npm)
References
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 High
HighOsv Malicious Advisory