VDB
KO

MAL-2026-10176

Malicious code in uncaxss (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (acda9720ae54881219c0fbcee73795be85877d292aa62662f7cb6b92e775f608) Package ships an obfuscated dist/index.js that is invoked from the postinstall lifecycle hook (`node dist/index.js`). At install time, the script performs an HTTPS GET to https://onch.cc/test1.txt (and https://onch.cc/test2.txt), base64-decodes the response body, and executes it via `new Function('require', decoded)()`, granting the fetched code full Node.js capabilities (including `require`) on the installer's machine. The dropper is gated by `process.env.P == 1`, allowing the attacker to keep the payload dormant on incidental installers and detonate selectively (e.g., on CI runners where P is set). The fetching logic is obfuscated using javascript-obfuscator (hex identifiers, rotating string array, decoder wrapper), and the package's own build script (`"obfuscate": "javascript-obfuscator./dist/index.js..."`) confirms obfuscation is applied deliberately before publish. The remote host onch.cc is unrelated to any documented package purpose (the package has no README), and the fetched content is opaque, mutable, and unpinned. This is a classic install-time RCE dropper with attacker-controlled remote code execution on `npm install`.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / uncaxss

No fixed version published yet for uncaxss (npm). Pin to a known-safe version or switch to an alternative.

References