OSV ID
MAL-2026-10696
Ecosystem
npm
Summary
The package ships a single index.html (declared as main) whose only behavior is to fetch https://bitbucket.org/p2p-alt-public/p2p-emis/raw/main/GameWebSight from a mutable third-party branch and inject the response into the DOM via document.open/document.write/document.close. The fetched bytes are unpinned, unverified, and executed as HTML+JavaScript in the browser of anyone who loads the page. The loader is paired with anti-inspection handlers that suppress F12, Ctrl+Shift+I/J/C, Ctrl+U, Ctrl+S, and right-click, and with an interaction gate that only triggers the fetch after a real mousemove/click/keydown — otherwise it renders 'Blocked'. The combination of an external mutable-branch payload, no integrity verification, DevTools/view-source suppression, and a human-interaction sandbox-evasion gate is the dropper-loader pattern: the actual code executed in the visitor's browser is whatever the third-party repository owner chooses to publish at any moment.
Source: amazon-inspector (e9578c2db9f9fd58bb7b743e3ca8581aa21f4632bb965dcb53b7a4aaa02e5667)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.