MAL-2026-10623
Malicious code in http-ws-listener (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (2b70acc8a626218c5855ef656a6945f1f2018c0ff62c112d9b31bae5016fae49) http-ws-listener@1.0.5 ships misc/configFetcher.js, which reconstructs a hidden Pastebin URL and the module names 'net' and 'child_process' by triple-base64-decoding a Lorem-ipsum string literal and indexing characters through a numeric array. When the package's advertised entrypoint startWebSocketServer() is called, fetchConfig() retrieves colon-separated handles from the paste, dynamically imports the built-in net and child_process modules, invokes child_process.exec on a second remote-fetched string, opens a TCP socket to a host:port also carried in the paste, and pipes that socket into the child process's stdin, stdout, and stderr. The result is an interactive reverse shell on the machine running the package, driven by content that the paste author can mutate at any time. The obfuscation (triple base64 plus character-index reconstruction) exists to hide the C2 URL and the built-in module names from static inspection.
Are you affected?
Enter the version of the package you're using.
Affected packages
No fixed version published yet for http-ws-listener (npm). Pin to a known-safe version or switch to an alternative.