Supply-chain threat intelligence

Incident detail

criticalnpm·obfuscation·osv

Malicious code in uncaxss (npm)

uncaxss

Risk score

92

AI summary

Indexed incident for uncaxss (npm).

Description

Package ships an obfuscated dist/index.js that is invoked from the postinstall lifecycle hook (node dist/index.js). At install time, the script performs an HTTPS GET to https://onch.cc/test1.txt (and https://onch.cc/test2.txt), base64-decodes the response body, and executes it via new Function('require', decoded)(), granting the fetched code full Node.js capabilities (including require) on the installer's machine. The dropper is gated by process.env.P == 1, allowing the attacker to keep the payload dormant on incidental installers and detonate selectively (e.g., on CI runners where P is set). The fetching logic is obfuscated using javascript-obfuscator (hex identifiers, rotating string array, decoder wrapper), and the package's own build script ("obfuscate": "javascript-obfuscator./dist/index.js...") confirms obfuscation is applied deliberately before publish. The remote host onch.cc is unrelated to any documented package purpose (the package has no README), and the fetched content is opaque, mutable, and unpinned. This is a classic install-time RCE dropper with attacker-controlled remote code execution on npm install.

Technical details

Affected versions

=1.3.5=1.3.4

Indicators

  • affected version=1.3.575%
  • affected version=1.3.475%

Timeline

  1. Advisory published
  2. Indexed by ThreatPkg

Related incidents