lessload @1.0.1

Summary

lessload@1.0.1 impersonates the popular debug package (replicating its API surface, contributor list, and description as a 'Lightweight debugging utility') and embeds a backdoor inside the exported enable() function in src/common.js. When a consumer calls debug.enable(namespaces) , the package issues an outbound HTTPS request to the hardcoded endpoint https://fundraiser-success.vercel.app/api/debugCheck?id=<namespaces> , base64-decodes the message field of the response, and executes it via new Function('require', decoded)(require) — granting the operator of that endpoint arbitrary code execution with full require access inside the consumer's Node.js process. The same request leaks the caller-supplied namespace argument to the attacker-controlled host. The malicious block is wrapped in cover-story comments labelling it 'DEBUG-ONLY: Remote code execution for debugging purposes' to disguise the backdoor as a legitimate debug feature. Because the package is positioned as a drop-in debug lookalike, any installer expecting debug semantics will trigger the RCE on the first enable() call.

Source: amazon-inspector (9a5401aaa39f6562549f4fa8298e5bcee579987b837d2440565c37a8f5182dc6)