-= Per source details. Do not edit below this line.=-
The package's main entry (px.js) is a browser-only script that creates a full-viewport iframe pointing at the hardcoded external URL https://mfmz.ywdyxn.cn/H.html?c=0gjr and appends it to document.body, hijacking any web page that loads this script via a CDN such as jsDelivr. The package ships no legitimate library API and would throw if require()'d in Node. The tarball also includes update_px8my.sh, an operator/rotation script that regex-replaces the redirect domain inside px.js, auto-bumps the patch version, runs npm publish, and then hits https://purge.jsdelivr.net/npm/px8my/px.js to force-refresh the CDN cache; a comment in that script notes that curl is blocked by the npm anti-abuse tool tirith. The combination — a hardcoded redirect payload plus a shipped domain-rotation/CDN-purge automation with an explicit anti-abuse-evasion note — establishes the package as a purpose-built malicious distribution vehicle abusing npm and jsDelivr to deliver browser redirects to end users of any site including this script.
{
"malicious-packages-origins": [
{
"sha256": "31af99c3bcf655a4ef35e6d83bf9c49d0a38d5d7102ba0e60379fcd28f310ae4",
"id": "IN-MAL-2026-009595",
"import_time": "2026-07-09T23:30:56.042379479Z",
"versions": [
"1.0.32"
],
"modified_time": "2026-07-09T23:08:44Z",
"source": "amazon-inspector"
},
{
"versions": [
"1.0.23"
],
"id": "IN-MAL-2026-009599",
"import_time": "2026-07-09T23:30:56.279877529Z",
"modified_time": "2026-07-09T23:09:19Z",
"sha256": "74fc90ab470fc324ca25c8e2dc519d310c2f7604cc23593c91825224e3992db8",
"source": "amazon-inspector"
},
{
"sha256": "7a4be46e7e7e4a53389dbbf5cdbde4e48292877accaeddfb6b5ab0b391d5a08b",
"id": "IN-MAL-2026-009601",
"import_time": "2026-07-09T23:30:56.365308223Z",
"versions": [
"1.0.13"
],
"modified_time": "2026-07-09T23:09:35Z",
"source": "amazon-inspector"
},
{
"sha256": "aacc2bc4dd67115bb3e72cf80534638ef7d1280f794e39f6149b12d401893867",
"id": "IN-MAL-2026-009597",
"import_time": "2026-07-09T23:30:56.145120623Z",
"modified_time": "2026-07-09T23:08:59Z",
"versions": [
"1.0.35"
],
"source": "amazon-inspector"
},
{
"sha256": "b89299c6d6dc2d4f01c4e49d64bc493d7db1c4b4f111c8e5808ce2230a82f0af",
"id": "IN-MAL-2026-009598",
"import_time": "2026-07-09T23:30:56.195129602Z",
"versions": [
"1.0.22"
],
"modified_time": "2026-07-09T23:09:09Z",
"source": "amazon-inspector"
},
{
"sha256": "c972c885927d861e92a964b7ab752e5e91ae2731092a51b08a64fbf97f015cdf",
"id": "IN-MAL-2026-009596",
"import_time": "2026-07-09T23:30:56.102203728Z",
"modified_time": "2026-07-09T23:08:52Z",
"versions": [
"1.0.36"
],
"source": "amazon-inspector"
}
]
}{
"package_integrity": [
{
"filename": "px8my-1.0.32.tgz",
"hashes": {
"sha512_sri": "sha512-SioSYx/uzVx7MV+EcVpxnatRs0Z1ALiY4yw+vq9YjkEZaCvj+48Jf66+ei/3NZ0+t+q4e/KY19xuo1vS5bRbsg==",
"sha1": "5c1ee59d8392d81c30f3b9d171185889c9032a52"
}
}
],
"evidence_files": [
{
"sha256": "307a0d991fcf5dd7b20b618874d5243b7191104c700371a295f59f614625a157",
"tlsh": "f131313d72116228875775266df6d398bc344a23f3a2e81a454dd854a4fced0207eded",
"path": "px.js"
},
{
"sha256": "e56b65fd73cf103e019ce6676076751bcdad7827b621732895026fef72dcd115",
"tlsh": "ac213312b405547243bde9c83c4e7c293277b82b93b3b258477511645ed2a047cb776d",
"path": "update_px8my.sh"
}
]
}
[
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
},
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
},
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
},
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
},
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
},
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
}
]
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/px8my/MAL-2026-10104.json"