validator-stringnpm
Malicious code in validator-string (npm) Remove it immediately and rotate any exposed credentials.
What this malware does
Package name validator-string impersonates the widely-used npm package validator and copies its README, homepage, and API surface. package.json declares scripts.postinstall: node index.js, and main resolves to the same index.js, so the trailing obfuscated block runs both on npm install and on every require('validator-string'). The appended code uses a custom multi-stage character-shuffle routine to reconstruct the identifiers require, module, __dirname, __filename, undefined, and constructor, then hoists require/module/__dirname/__filename onto global so the decoded body has full Node.js capability. It recovers the string Function from constructor, invokes Function(argNames, decodedBody) on a large opaque encoded blob, and calls the resulting function unconditionally (Lpe(2163)). This is dynamic code construction from an obfuscated payload executed automatically on install and on load — installer-side remote/opaque code execution with full Node privileges. The typosquat name, cloned metadata, obfuscation of core Node identifiers, and auto-execution at two separate lifecycle points are collectively unambiguous.
Malicious versions
Indicators of compromise (SHA-256)
Detection & response playbook
TyposquatFind it
Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for validator-string (version 13.15.36). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging validator-string across your stack and pipelines.
If you installed it — respond
validator-string is a typosquat — you almost certainly intended a legitimately-named package. Remove validator-string, install the correct package, and rotate any secrets exposed during the install since post-install scripts may have already run.
Did it already run?
If validator-string was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.
How O3 protects you
O3 blocks validator-string before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.
Frequently asked questions
Campaign
References
Credits
- Amazon Inspector · finder
Detect & block this
O3 blocks validator-string-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the malicious outbound activity and severs the channel.