Which versions of bubblestr are malicious?

The following npm versions of bubblestr are flagged malicious: 1.1.4. Treat any of these as compromised.

How do I remediate bubblestr if I installed it?

Remove bubblestr from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is bubblestr part of a known attack campaign?

Yes — bubblestr is associated with the IN-MAL-2026-006849 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect bubblestr in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking bubblestr and packages like it before any post-install script runs.

Malicious package

bubblestrnpm

Malicious code in bubblestr (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5930

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall bubblestr

What this malware does

package.json declares "postinstall": "node index.js", and index.js is a heavily obfuscated single-file script (RC4+base64 string-array with rotating shift and two decoder wrappers). After deobfuscation, the postinstall body performs an HTTP GET to a built URL, writes the response body to a file under os.tmpdir() using fs.writeFileSync(..., {flag:'w+'}), and immediately executes the dropped file via child_process.exec(path, {windowsHide:true, cwd: process.cwd()}). This fires automatically on npm install with no user interaction and lands attacker-controlled bytes on the installer's machine. Author and description fields are empty, the obfuscation has no legitimate justification for a 'utility' package, and the README contradicts the published name by instructing users to install/require @array-util/subsearch — a name-confusion lure designed to harvest installs while hiding under a different documented identity. The combination of install-time remote fetch-and-exec, obfuscation intent to evade scanners, and identity mismatch is a textbook supply-chain dropper.

Malicious versions

1 flagged

1.1.4

Indicators of compromise (SHA-256)

7831cb93037b6f364e2174f6d4fb64b38bac958e54f3653b8a70810681972172

Frequently asked questions

No. bubblestr on npm has been identified as a malicious package (version 1.1.4 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-006849

References

npmjs.com

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection