npm

nuxt-fonts-devtools @99.0.3

Vulnerability report · Last retrieved from osv.dev July 8, 2026 at 7:23 PM UTC

Malicious

OSV ID

MAL-2026-6937

Ecosystem

npm

Summary

Package ships only a package.json and a readme; there is no main entry, no bin, no scripts, no dependencies, and no executable code. The readme contains the string 'Takeover By lobo' and the package.json description self-labels as a 'Security research canary — vercel'. Installing this version does not execute code and does not exfiltrate data, run remote payloads, or modify the installer's environment. However, the name resembles a Nuxt/Vercel devtools-adjacent package and the readme text asserts a namespace takeover, so the package is a name-squat placeholder rather than a functional library. Downstream consumers who add this dependency expecting real functionality will pull an empty package and, if the name is ever transferred or republished, could later receive attacker-controlled content under the same name.

Source: amazon-inspector (d6ede5024b6ee71356eedb3dfb3bb648682901bf6b966bbe353daff6082ecc85)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.