npm

load-nuxt-dev @99.0.3

Vulnerability report · Last retrieved from osv.dev July 8, 2026 at 7:23 PM UTC

Malicious

OSV ID

MAL-2026-6935

Ecosystem

npm

Summary

The package name resembles the legitimate Nuxt ecosystem tooling (e.g., @nuxt/load-nuxt), and the version 99.0.3 is a common dependency-confusion / version-inflation shape used to force npm to prefer this artifact over an internal package of the same name. No install-time, import-time, or runtime code paths in the scanned files show credential harvesting, remote-code fetch-and-execute, exfiltration, or backdoor behavior. Because no concrete installer-harm mechanism was observed, this cannot be classified as an active attack from the current artifact contents alone, but the name + inflated-version pattern is consistent with a dependency-confusion lure and warrants human review before allowing it into a build.

Source: amazon-inspector (cf0f879297070c07197ace88cfb411c61d497ad150e39c2c5c91349737f5d83a)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.