{"id":"MAL-2026-6580","summary":"Malicious code in loadutils (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (31f1f1f6292d782062f6fff1f7422d9f1dc0eb1572e4372d6c0d574ccea3ab3a)\nPackage `loadutils` is a typosquat of the widely-used webpack helper `loader-utils`. The shipped README documents the loader-utils API (`urlToRequest`, `interpolateName`, `getHashDigest`), but `src/index.js` instead exports a `debug`-style logger — name, documentation, and implementation do not align. On import, `src/index.js` executes `require('debug-glitzs')` at the top level, but `debug-glitzs` is not declared in `dependencies`, `peerDependencies`, or `optionalDependencies`; whatever resolves to that name in the installer's tree runs in the Node.js process as soon as `loadutils` is required. `package.json` additionally declares `lessload@^1.0.1` as a runtime dependency that is never referenced in `src/` and is unrelated to either the logger code or the advertised loader-utils API, pulling further unaccounted code into the installer's dependency tree on `npm install`. The `contributors` metadata also impersonates a well-known maintainer (`Kiko Beats` paired with an unrelated homepage `alphacointech1010.com`), reinforcing the deceptive packaging.\n","modified":"2026-06-29T07:16:41.830821526Z","published":"2026-06-29T06:39:52Z","database_specific":{"malicious-packages-origins":[{"ranges":[{"events":[{"introduced":"0"}],"type":"SEMVER"}],"id":"IN-MAL-2026-007768","source":"amazon-inspector","modified_time":"2026-06-29T06:39:52Z","import_time":"2026-06-29T07:09:11.190833495Z","sha256":"31f1f1f6292d782062f6fff1f7422d9f1dc0eb1572e4372d6c0d574ccea3ab3a","versions":["1.0.4"]}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/loadutils/v/1.0.4"}],"affected":[{"package":{"name":"loadutils","ecosystem":"npm","purl":"pkg:npm/loadutils"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"}]}],"versions":["1.0.4"],"database_specific":{"cwes":[{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"}],"indicators":{"evidence_files":[{"path":"README.md","tlsh":"d8d1b8660f569d3297288bb5780994f0e312612ca526c476a0d5a4ecd3e37d0f9f13e5","sha256":"0ee2b5a25c3ef8d4e0d60fae718d3a16ffabbfc48b13d65b8af34e22c06f4411"},{"path":"src/index.js","tlsh":"52517355916b6042067356abda9b680afb3fe02334339165be1da3c11fb3b004916fea","sha256":"d7d6f65dc61f08413988d39a4a6f9b60b21987b8a43e281d367cea5a9b6269af"},{"path":"package.json","tlsh":"1381cd67cd684d770ac9926aa8694202b660c9438e58fc1c739d439dcf4d07f21fe7ae","sha256":"9dcef13879e01ec7f69b751d7ca1a8153e76e649092790c23401047ad7087c9d"}],"package_integrity":[{"hashes":{"sha1":"801ca76f569e5fe16f972e4f1ba20770242eff5c","sha512_sri":"sha512-mT4cKT0GWk+OacN3moFEBtg8/rYsVhMOUm2t18nFKFAYysQv/EW/Ffyi3LjHhZzWhpd5K84PBErfyrmci3WCaw=="},"filename":"loadutils-1.0.4.tgz"}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/loadutils/MAL-2026-6580.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}