OSV ID
MAL-2026-10726
Ecosystem
npm
Summary
This tarball is published as astro@7.1.0 but does not match the legitimate withastro/astro project (which is on the v5.x line and depends on picocolors, debug, and @astrojs/markdown-remark). The package.json declares dependencies on typosquat-shaped names on the same registry: piccolore, obug, and @astrojs/markdown-satteri. Core modules import these look-alikes unconditionally — dist/core/logger/node.js contains import { createDebug, enable as obugEnable } from "obug" and dist/cli/infra/piccolore-text-styler.js contains import colors from "piccolore" — so any require('astro') or CLI invocation causes those attacker-controlled packages to be resolved and executed inside the installer's node_modules tree. The version jump from the real 5.x line and the substitution of the standard utility dependencies with lookalike names indicate a registry impersonation of the astro framework, structured as a dependency-chain dropper.
Source: amazon-inspector (949822741657acf4a6b9f6255a2f7a080ca1cc3343e9663020c5e21ce2a6b03c)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.