lusha-iam-widgets @1.5.2
Vulnerability report · Last retrieved from osv.dev July 14, 2026 at 7:46 AM UTC
OSV ID
MAL-2026-10533
Ecosystem
npm
Summary
package.json declares the node-fetch dependency pinned to a tarball URL on registry.ctzbg.com , a host unrelated to the npm registry and unrelated to any Lusha-owned infrastructure. On npm install , npm fetches and installs whatever that endpoint returns as node-fetch , running any lifecycle scripts of the fetched package on the installer's machine. The package's main component also import s node-fetch , so the attacker-controlled module executes at require time as well. The package name and stated purpose impersonate Lusha's B2B IAM tooling while the publisher ( hlush ) is unaffiliated, consistent with a dependency-confusion lure aimed at Lusha's internal build systems and any org that installs lusha-* packages.
Source: amazon-inspector (46142505b88a255674663ced6e8bce8c8f3e28c0936e463e07463a7e1331e5af)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.