MAL-2026-10088

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/lovable-tager/MAL-2026-10088.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10088
Published
2026-07-09T17:00:49Z
Modified
2026-07-09T17:31:55.418826635Z
Summary
Malicious code in lovable-tager (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (0f100c9dbac6f2e352e559d0eb06f573e971845cc083b80c61f211013e03973a)

lovable-tager is a single-character-deletion typosquat of the legitimate Vite plugin lovable-tagger. The ESM entry dist/index.js (referenced by main) contains the clean plugin code followed by ~6 KB of tab padding and then an appended obfuscator.io-style permutation-obfuscated IIFE. On module load, the IIFE assigns global.require, global.__dirname, and global.__filename, derives Function via a deshuffled constructor lookup, constructs a new Function from an obfuscated string body, and immediately invokes it. The sibling CJS build dist/index.cjs, produced from the same source, contains only the clean plugin code with no such trailer — indicating the payload was smuggled into the published tarball after the normal build ran, hidden behind tab padding that suppresses it in most editors and diff views. Any project that adds the mistyped name to its Vite config executes attacker-controlled code inside the developer's Node process at plugin-load time, with the ability to reach require, the filesystem, and the network of the build host.

Database specific
{
    "malicious-packages-origins": [
        {
            "sha256": "0f100c9dbac6f2e352e559d0eb06f573e971845cc083b80c61f211013e03973a",
            "id": "IN-MAL-2026-009365",
            "modified_time": "2026-07-09T17:01:44Z",
            "versions": [
                "1.4.0"
            ],
            "import_time": "2026-07-09T17:19:29.648654581Z",
            "source": "amazon-inspector"
        },
        {
            "sha256": "cc8ab43092d5c820c05237645c102e332aa8c94fc1c4bc51795bc1ed7a4baa22",
            "id": "IN-MAL-2026-009359",
            "import_time": "2026-07-09T17:19:28.811070502Z",
            "modified_time": "2026-07-09T17:00:49Z",
            "versions": [
                "1.4.1"
            ],
            "source": "amazon-inspector"
        }
    ]
}
References
Credits

Affected packages

npm / lovable-tager

Package

Affected ranges

Affected versions

1.*
1.4.0
1.4.1

Database specific

indicators
{
    "evidence_files": [
        {
            "sha256": "f76c1a595ab432cdf629c711fb025bc0227f57c91aba297e0a1866db6eb69eb2",
            "tlsh": "3c82d51f58f318364553b9698baf0005b935f373610cc954fe9c92a03fea229a5e6bdc",
            "path": "dist/index.js"
        }
    ],
    "package_integrity": [
        {
            "filename": "lovable-tager-1.4.0.tgz",
            "hashes": {
                "sha512_sri": "sha512-M9BVvyZPuxnfhdNwouSRanyArORvojbpKc6cQUNF1Cirjp69r2PVjnsVwr6RDURz8KsNnP2we82C+THGOsRQbQ==",
                "sha1": "3184144a9450c41d1a9b63e42d9cd08b4ee228ba"
            }
        }
    ]
}
cwes
[
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/lovable-tager/MAL-2026-10088.json"