{"id":"MAL-2026-10105","summary":"Malicious code in pxpure8 (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (a40ae433e9fa90bfbb449d343c281375329a44c0dacf080a91a0c1717579b679)\nThe package's main entry (pure.js) consists of a single behavior: it creates a \u003cscript\u003e element pointing at https://cdn.jsdelivr.net/npm/px8my/px.js (no version pin) and appends it to document.head. When the module is required/imported in any browser-like environment (browser bundling, jsdom, Electron renderer), this causes arbitrary JavaScript from the unrelated `px8my` npm package — at whatever version its owner most recently published — to execute in the host page context. The destination is a different publisher's package, the version is unpinned (so the executed bytes are author-mutable at any time by a third party), and there is no documented purpose for this loader behavior. Package metadata reinforces the loader/lure shape: empty author, empty description, no repository, default test script — a throwaway package whose only function is to pull in remote third-party code. An installer that bundles or loads pxpure8 ends up shipping whatever px8my publishes, including any future malicious version, into their own application's execution context.\n","modified":"2026-07-09T23:47:00.183795953Z","published":"2026-07-09T23:09:27Z","database_specific":{"malicious-packages-origins":[{"source":"amazon-inspector","import_time":"2026-07-09T23:30:56.316754416Z","sha256":"a40ae433e9fa90bfbb449d343c281375329a44c0dacf080a91a0c1717579b679","id":"IN-MAL-2026-009600","versions":["1.0.2"],"modified_time":"2026-07-09T23:09:27Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/pxpure8/v/1.0.2"}],"affected":[{"package":{"name":"pxpure8","ecosystem":"npm","purl":"pkg:npm/pxpure8"},"versions":["1.0.2"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/pxpure8/MAL-2026-10105.json","indicators":{"evidence_files":[{"tlsh":"e1c0806a651575344255509d3037d6b478f3112965119181456ddc190d61d811c5fc90","path":"pure.js","sha256":"86002d8a49e829ca7d529eb48e10f7f27c46269556ba67667fd1314a40e4fc9c"},{"path":"package.json","tlsh":"e4d0a7141961953315c455260e399153b721df5f00547c0d57cf282c52cfa736cfa30d","sha256":"4281502bbb94b3de31549000e2a3b17652df7c1dcaacb3232a2ced75384aa5eb"}],"package_integrity":[{"hashes":{"sha1":"5586296c2a656fb3fecefc2b98dce1dc0dde7d2e","sha512_sri":"sha512-zl6TenA1lLpGO7wunk6KDGbob6qNgimLoIVewUIlR3hzBjndpQMNxDnGgYH6IcpXQqqJX5yy4LERiTYtk3oeTA=="},"filename":"pxpure8-1.0.2.tgz"}]},"cwes":[{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}