registry  /  validator-string  /  13.15.36

validator-string@13.15.36

OSV Malicious Advisory

scanned 3h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-10109 confirms this npm version as malicious. Package name `validator-string` impersonates the widely-used npm package `validator` and copies its README, homepage, and API surface. `package.json` declares `scripts.postinstall: node index.js`, and `main` resolves to the same `index.js`, so the trailing obfuscated block runs both on `npm install` and on every `require('validator-string')`...

Advisory
MAL-2026-10109
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in validator-string (npm)
Details
Package name `validator-string` impersonates the widely-used npm package `validator` and copies its README, homepage, and API surface. `package.json` declares `scripts.postinstall: node index.js`, and `main` resolves to the same `index.js`, so the trailing obfuscated block runs both on `npm install` and on every `require('validator-string')`. The appended code uses a custom multi-stage character-shuffle routine to reconstruct the identifiers `require`, `module`, `__dirname`, `__filename`, `undefined`, and `constructor`, then hoists `require`/`module`/`__dirname`/`__filename` onto `global` so the decoded body has full Node.js capability. It recovers the string `Function` from `constructor`, invokes `Function(argNames, decodedBody)` on a large opaque encoded blob, and calls the resulting function unconditionally (`Lpe(2163)`). This is dynamic code construction from an obfuscated payload executed automatically on install and on load — installer-side remote/opaque code execution with full Node privileges. The typosquat name, cloned metadata, obfuscation of core Node identifiers, and auto-execution at two separate lifecycle points are collectively unambiguous.
Decision reason
OpenSSF Malicious Packages via OSV confirms validator-string@13.15.36 as malicious (MAL-2026-10109): Malicious code in validator-string (npm)

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

1 High
HighOsv Malicious Advisory