MAL-2026-10109
Malicious code in validator-string (npm)
상세
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (41a95b09ecd097cf7db1496950d26195169adb7ad2d8065a3458771389094be4) Package name `validator-string` impersonates the widely-used npm package `validator` and copies its README, homepage, and API surface. `package.json` declares `scripts.postinstall: node index.js`, and `main` resolves to the same `index.js`, so the trailing obfuscated block runs both on `npm install` and on every `require('validator-string')`. The appended code uses a custom multi-stage character-shuffle routine to reconstruct the identifiers `require`, `module`, `__dirname`, `__filename`, `undefined`, and `constructor`, then hoists `require`/`module`/`__dirname`/`__filename` onto `global` so the decoded body has full Node.js capability. It recovers the string `Function` from `constructor`, invokes `Function(argNames, decodedBody)` on a large opaque encoded blob, and calls the resulting function unconditionally (`Lpe(2163)`). This is dynamic code construction from an obfuscated payload executed automatically on install and on load — installer-side remote/opaque code execution with full Node privileges. The typosquat name, cloned metadata, obfuscation of core Node identifiers, and auto-execution at two separate lifecycle points are collectively unambiguous.
이 버전이 영향받나요?
사용 중인 패키지 버전을 입력하면 즉시 평가합니다.
영향 패키지
No fixed version published yet for validator-string (npm). Pin to a known-safe version or switch to an alternative.