npm

lovable-tager @1.4.1

Vulnerability report · Last retrieved from osv.dev July 9, 2026 at 10:29 PM UTC

Malicious

OSV ID

MAL-2026-10088

Ecosystem

npm

Summary

lovable-tager is a single-character-deletion typosquat of the legitimate Vite plugin lovable-tagger . The ESM entry dist/index.js (referenced by main ) contains the clean plugin code followed by ~6 KB of tab padding and then an appended obfuscator.io-style permutation-obfuscated IIFE. On module load, the IIFE assigns global.require , global.__dirname , and global.__filename , derives Function via a deshuffled constructor lookup, constructs a new Function from an obfuscated string body, and immediately invokes it. The sibling CJS build dist/index.cjs , produced from the same source, contains only the clean plugin code with no such trailer — indicating the payload was smuggled into the published tarball after the normal build ran, hidden behind tab padding that suppresses it in most editors and diff views. Any project that adds the mistyped name to its Vite config executes attacker-controlled code inside the developer's Node process at plugin-load time, with the ability to reach require , the filesystem, and the network of the build host.

Source: amazon-inspector (0f100c9dbac6f2e352e559d0eb06f573e971845cc083b80c61f211013e03973a)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.