—

MAL-2026-6457

Malicious code in subsearch (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (04245cd013e6aa9edb766cf14249c9dd6abd19d6beb9671c22a1a8bbbff3d511) The package's main entry `index.js` is the only file of substance and is wrapped in obfuscator.io string-array + RC4 obfuscation that hides every literal (module names, URL octets, exec arguments). On require(), the deobfuscated code assembles a bare-IP HTTP URL by concatenating four octets via `.concat('.')`, performs an HTTP GET, writes the response body into `os.tmpdir()` via `fs.writeFileSync(path.join(os.tmpdir(), <name>), I.data, {flag:'w+'})`, and immediately executes the dropped file with `child_process.exec(..., {windowsHide:true, cwd: os.tmpdir()})`. `process.on('uncaughtException',...)` is registered to suppress errors. `package.json` has empty description, empty author, no repository, no homepage — the package advertises no functionality; its only effect on import is the dropper. The bare-IP destination has no TLS, no pinning, and no signature verification, so the attacker can swap the executed payload at any time.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / subsearch

No fixed version published yet for subsearch (npm). Pin to a known-safe version or switch to an alternative.

References

https://www.npmjs.com/package/subsearch/v/1.0.2 [PACKAGE]
https://www.npmjs.com/package/subsearch/v/1.0.3 [PACKAGE]