VDB
KO

MAL-2026-10496

Malicious code in bubblestring (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (d88c674968228c1d12eff609caca870ebe6d572631e15e2bdde0d0d4b7a320f9) package.json declares a postinstall hook that runs the package's only code file, index.js, on every npm install. index.js is heavily obfuscated (obfuscator.io-style RC4 string array with 231 entries, two decoders, control-flow flattening). After deobfuscation, the top-level code constructs an IPv4 address by concatenating four numeric octets, performs an HTTPS request to that bare-IP host, writes the response body to a file under the OS temp directory via fs.writeFileSync, and then executes the dropped file via child_process. This is the canonical install-time remote-code-execution dropper shape: mutable attacker-controlled destination, no publisher domain, no integrity check, automatic execution under the installer's user account on `npm install`. The package metadata reinforces malicious intent — empty description, empty author, no repository or homepage, no exported functionality — and the README instructs users to install and require an unrelated package (`@array-util/subsearch`), serving as cover for a payload that has no advertised purpose.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / bubblestring

No fixed version published yet for bubblestring (npm). Pin to a known-safe version or switch to an alternative.

References