Your RSA-2048 keys break in 2030. Find every one of them before attackers do.
Malicious package

validator-stringnpm

Malicious code in validator-string (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-10109
Immediate action
Remove the package, then rotate any secrets the build/runtime could reach.
npm uninstall validator-string

What this malware does

Package name validator-string impersonates the widely-used npm package validator and copies its README, homepage, and API surface. package.json declares scripts.postinstall: node index.js, and main resolves to the same index.js, so the trailing obfuscated block runs both on npm install and on every require('validator-string'). The appended code uses a custom multi-stage character-shuffle routine to reconstruct the identifiers require, module, __dirname, __filename, undefined, and constructor, then hoists require/module/__dirname/__filename onto global so the decoded body has full Node.js capability. It recovers the string Function from constructor, invokes Function(argNames, decodedBody) on a large opaque encoded blob, and calls the resulting function unconditionally (Lpe(2163)). This is dynamic code construction from an obfuscated payload executed automatically on install and on load — installer-side remote/opaque code execution with full Node privileges. The typosquat name, cloned metadata, obfuscation of core Node identifiers, and auto-execution at two separate lifecycle points are collectively unambiguous.

Malicious versions

1 flagged
13.15.36

Indicators of compromise (SHA-256)

41a95b09ecd097cf7db1496950d26195169adb7ad2d8065a3458771389094be4

Detection & response playbook

Typosquat
  1. Find it

    Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for validator-string (version 13.15.36). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging validator-string across your stack and pipelines.

  2. If you installed it — respond

    validator-string is a typosquat — you almost certainly intended a legitimately-named package. Remove validator-string, install the correct package, and rotate any secrets exposed during the install since post-install scripts may have already run.

  3. Did it already run?

    If validator-string was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

  4. How O3 protects you

    O3 blocks validator-string before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. validator-string on npm has been identified as a malicious package (version 13.15.36 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-009594

References

Credits

  • Amazon Inspector · finder

Detect & block this

O3 blocks validator-string-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the malicious outbound activity and severs the channel.

validator-string (npm) malicious package — MAL-2026-10109 | O3 Security