OSV ID
MAL-2026-10105
Ecosystem
npm
Summary
The package's main entry (pure.js) consists of a single behavior: it creates a <script> element pointing at https://cdn.jsdelivr.net/npm/px8my/px.js (no version pin) and appends it to document.head. When the module is required/imported in any browser-like environment (browser bundling, jsdom, Electron renderer), this causes arbitrary JavaScript from the unrelated px8my npm package — at whatever version its owner most recently published — to execute in the host page context. The destination is a different publisher's package, the version is unpinned (so the executed bytes are author-mutable at any time by a third party), and there is no documented purpose for this loader behavior. Package metadata reinforces the loader/lure shape: empty author, empty description, no repository, default test script — a throwaway package whose only function is to pull in remote third-party code. An installer that bundles or loads pxpure8 ends up shipping whatever px8my publishes, including any future malicious version, into their own application's execution context.
Source: amazon-inspector (a40ae433e9fa90bfbb449d343c281375329a44c0dacf080a91a0c1717579b679)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.