npm

pxpure8 @1.0.2

Vulnerability report · Last retrieved from osv.dev July 10, 2026 at 1:30 AM UTC

Malicious

OSV ID

MAL-2026-10105

Ecosystem

npm

Summary

The package's main entry (pure.js) consists of a single behavior: it creates a <script> element pointing at https://cdn.jsdelivr.net/npm/px8my/px.js (no version pin) and appends it to document.head. When the module is required/imported in any browser-like environment (browser bundling, jsdom, Electron renderer), this causes arbitrary JavaScript from the unrelated px8my npm package — at whatever version its owner most recently published — to execute in the host page context. The destination is a different publisher's package, the version is unpinned (so the executed bytes are author-mutable at any time by a third party), and there is no documented purpose for this loader behavior. Package metadata reinforces the loader/lure shape: empty author, empty description, no repository, default test script — a throwaway package whose only function is to pull in remote third-party code. An installer that bundles or loads pxpure8 ends up shipping whatever px8my publishes, including any future malicious version, into their own application's execution context.

Source: amazon-inspector (a40ae433e9fa90bfbb449d343c281375329a44c0dacf080a91a0c1717579b679)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.