{"id":"MAL-2026-10104","summary":"Malicious code in px8my (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (c972c885927d861e92a964b7ab752e5e91ae2731092a51b08a64fbf97f015cdf)\nThe package's main entry (px.js) is a browser-only script that creates a full-viewport iframe pointing at the hardcoded external URL https://mfmz.ywdyxn.cn/H.html?c=0gjr and appends it to document.body, hijacking any web page that loads this script via a CDN such as jsDelivr. The package ships no legitimate library API and would throw if require()'d in Node. The tarball also includes update_px8my.sh, an operator/rotation script that regex-replaces the redirect domain inside px.js, auto-bumps the patch version, runs npm publish, and then hits https://purge.jsdelivr.net/npm/px8my/px.js to force-refresh the CDN cache; a comment in that script notes that curl is blocked by the npm anti-abuse tool tirith. The combination — a hardcoded redirect payload plus a shipped domain-rotation/CDN-purge automation with an explicit anti-abuse-evasion note — establishes the package as a purpose-built malicious distribution vehicle abusing npm and jsDelivr to deliver browser redirects to end users of any site including this script.\n","modified":"2026-07-09T23:47:00.926531874Z","published":"2026-07-09T23:08:44Z","database_specific":{"malicious-packages-origins":[{"source":"amazon-inspector","modified_time":"2026-07-09T23:08:44Z","import_time":"2026-07-09T23:30:56.042379479Z","versions":["1.0.32"],"id":"IN-MAL-2026-009595","sha256":"31af99c3bcf655a4ef35e6d83bf9c49d0a38d5d7102ba0e60379fcd28f310ae4"},{"source":"amazon-inspector","sha256":"74fc90ab470fc324ca25c8e2dc519d310c2f7604cc23593c91825224e3992db8","import_time":"2026-07-09T23:30:56.279877529Z","versions":["1.0.23"],"modified_time":"2026-07-09T23:09:19Z","id":"IN-MAL-2026-009599"},{"source":"amazon-inspector","modified_time":"2026-07-09T23:09:35Z","import_time":"2026-07-09T23:30:56.365308223Z","versions":["1.0.13"],"id":"IN-MAL-2026-009601","sha256":"7a4be46e7e7e4a53389dbbf5cdbde4e48292877accaeddfb6b5ab0b391d5a08b"},{"source":"amazon-inspector","id":"IN-MAL-2026-009597","versions":["1.0.35"],"import_time":"2026-07-09T23:30:56.145120623Z","sha256":"aacc2bc4dd67115bb3e72cf80534638ef7d1280f794e39f6149b12d401893867","modified_time":"2026-07-09T23:08:59Z"},{"source":"amazon-inspector","modified_time":"2026-07-09T23:09:09Z","import_time":"2026-07-09T23:30:56.195129602Z","versions":["1.0.22"],"id":"IN-MAL-2026-009598","sha256":"b89299c6d6dc2d4f01c4e49d64bc493d7db1c4b4f111c8e5808ce2230a82f0af"},{"source":"amazon-inspector","id":"IN-MAL-2026-009596","versions":["1.0.36"],"import_time":"2026-07-09T23:30:56.102203728Z","sha256":"c972c885927d861e92a964b7ab752e5e91ae2731092a51b08a64fbf97f015cdf","modified_time":"2026-07-09T23:08:52Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/px8my/v/1.0.32"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/px8my/v/1.0.23"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/px8my/v/1.0.13"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/px8my/v/1.0.35"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/px8my/v/1.0.22"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/px8my/v/1.0.36"}],"affected":[{"package":{"name":"px8my","ecosystem":"npm","purl":"pkg:npm/px8my"},"versions":["1.0.32","1.0.23","1.0.13","1.0.35","1.0.22","1.0.36"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/px8my/MAL-2026-10104.json","indicators":{"evidence_files":[{"tlsh":"f131313d72116228875775266df6d398bc344a23f3a2e81a454dd854a4fced0207eded","path":"px.js","sha256":"307a0d991fcf5dd7b20b618874d5243b7191104c700371a295f59f614625a157"},{"tlsh":"ac213312b405547243bde9c83c4e7c293277b82b93b3b258477511645ed2a047cb776d","path":"update_px8my.sh","sha256":"e56b65fd73cf103e019ce6676076751bcdad7827b621732895026fef72dcd115"}],"package_integrity":[{"hashes":{"sha512_sri":"sha512-SioSYx/uzVx7MV+EcVpxnatRs0Z1ALiY4yw+vq9YjkEZaCvj+48Jf66+ei/3NZ0+t+q4e/KY19xuo1vS5bRbsg==","sha1":"5c1ee59d8392d81c30f3b9d171185889c9032a52"},"filename":"px8my-1.0.32.tgz"}]},"cwes":[{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."},{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."},{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."},{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."},{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."},{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}