loadutils @1.0.4

Summary

Package loadutils is a typosquat of the widely-used webpack helper loader-utils . The shipped README documents the loader-utils API ( urlToRequest , interpolateName , getHashDigest ), but src/index.js instead exports a debug -style logger — name, documentation, and implementation do not align. On import, src/index.js executes require('debug-glitzs') at the top level, but debug-glitzs is not declared in dependencies , peerDependencies , or optionalDependencies ; whatever resolves to that name in the installer's tree runs in the Node.js process as soon as loadutils is required. package.json additionally declares lessload@^1.0.1 as a runtime dependency that is never referenced in src/ and is unrelated to either the logger code or the advertised loader-utils API, pulling further unaccounted code into the installer's dependency tree on npm install . The contributors metadata also impersonates a well-known maintainer ( Kiko Beats paired with an unrelated homepage alphacointech1010.com ), reinforcing the deceptive packaging.

Source: amazon-inspector (31f1f1f6292d782062f6fff1f7422d9f1dc0eb1572e4372d6c0d574ccea3ab3a)