Supply-chain threat intelligence

Incident detail

criticalnpm·typosquatting·osv

Malicious code in validator-string (npm)

validator-string

Risk score

92

AI summary

Indexed incident for validator-string (npm).

Description

Package name validator-string impersonates the widely-used npm package validator and copies its README, homepage, and API surface. package.json declares scripts.postinstall: node index.js, and main resolves to the same index.js, so the trailing obfuscated block runs both on npm install and on every require('validator-string'). The appended code uses a custom multi-stage character-shuffle routine to reconstruct the identifiers require, module, __dirname, __filename, undefined, and constructor, then hoists require/module/__dirname/__filename onto global so the decoded body has full Node.js capability. It recovers the string Function from constructor, invokes Function(argNames, decodedBody) on a large opaque encoded blob, and calls the resulting function unconditionally (Lpe(2163)). This is dynamic code construction from an obfuscated payload executed automatically on install and on load — installer-side remote/opaque code execution with full Node privileges. The typosquat name, cloned metadata, obfuscation of core Node identifiers, and auto-execution at two separate lifecycle points are collectively unambiguous.

Technical details

Affected versions

=13.15.36

Indicators

  • affected version=13.15.3675%

Timeline

  1. Advisory published
  2. Indexed by ThreatPkg

Related incidents