MAL-2026-10104

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/px8my/MAL-2026-10104.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10104
Published
2026-07-09T23:08:44Z
Modified
2026-07-09T23:47:00.926531874Z
Summary
Malicious code in px8my (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (c972c885927d861e92a964b7ab752e5e91ae2731092a51b08a64fbf97f015cdf)

The package's main entry (px.js) is a browser-only script that creates a full-viewport iframe pointing at the hardcoded external URL https://mfmz.ywdyxn.cn/H.html?c=0gjr and appends it to document.body, hijacking any web page that loads this script via a CDN such as jsDelivr. The package ships no legitimate library API and would throw if require()'d in Node. The tarball also includes update_px8my.sh, an operator/rotation script that regex-replaces the redirect domain inside px.js, auto-bumps the patch version, runs npm publish, and then hits https://purge.jsdelivr.net/npm/px8my/px.js to force-refresh the CDN cache; a comment in that script notes that curl is blocked by the npm anti-abuse tool tirith. The combination — a hardcoded redirect payload plus a shipped domain-rotation/CDN-purge automation with an explicit anti-abuse-evasion note — establishes the package as a purpose-built malicious distribution vehicle abusing npm and jsDelivr to deliver browser redirects to end users of any site including this script.

Database specific
{
    "malicious-packages-origins": [
        {
            "sha256": "31af99c3bcf655a4ef35e6d83bf9c49d0a38d5d7102ba0e60379fcd28f310ae4",
            "id": "IN-MAL-2026-009595",
            "import_time": "2026-07-09T23:30:56.042379479Z",
            "versions": [
                "1.0.32"
            ],
            "modified_time": "2026-07-09T23:08:44Z",
            "source": "amazon-inspector"
        },
        {
            "versions": [
                "1.0.23"
            ],
            "id": "IN-MAL-2026-009599",
            "import_time": "2026-07-09T23:30:56.279877529Z",
            "modified_time": "2026-07-09T23:09:19Z",
            "sha256": "74fc90ab470fc324ca25c8e2dc519d310c2f7604cc23593c91825224e3992db8",
            "source": "amazon-inspector"
        },
        {
            "sha256": "7a4be46e7e7e4a53389dbbf5cdbde4e48292877accaeddfb6b5ab0b391d5a08b",
            "id": "IN-MAL-2026-009601",
            "import_time": "2026-07-09T23:30:56.365308223Z",
            "versions": [
                "1.0.13"
            ],
            "modified_time": "2026-07-09T23:09:35Z",
            "source": "amazon-inspector"
        },
        {
            "sha256": "aacc2bc4dd67115bb3e72cf80534638ef7d1280f794e39f6149b12d401893867",
            "id": "IN-MAL-2026-009597",
            "import_time": "2026-07-09T23:30:56.145120623Z",
            "modified_time": "2026-07-09T23:08:59Z",
            "versions": [
                "1.0.35"
            ],
            "source": "amazon-inspector"
        },
        {
            "sha256": "b89299c6d6dc2d4f01c4e49d64bc493d7db1c4b4f111c8e5808ce2230a82f0af",
            "id": "IN-MAL-2026-009598",
            "import_time": "2026-07-09T23:30:56.195129602Z",
            "versions": [
                "1.0.22"
            ],
            "modified_time": "2026-07-09T23:09:09Z",
            "source": "amazon-inspector"
        },
        {
            "sha256": "c972c885927d861e92a964b7ab752e5e91ae2731092a51b08a64fbf97f015cdf",
            "id": "IN-MAL-2026-009596",
            "import_time": "2026-07-09T23:30:56.102203728Z",
            "modified_time": "2026-07-09T23:08:52Z",
            "versions": [
                "1.0.36"
            ],
            "source": "amazon-inspector"
        }
    ]
}
References
Credits

Affected packages

npm / px8my

Package

Affected ranges

Affected versions

1.*
1.0.13
1.0.22
1.0.23
1.0.32
1.0.35
1.0.36

Database specific

indicators
{
    "package_integrity": [
        {
            "filename": "px8my-1.0.32.tgz",
            "hashes": {
                "sha512_sri": "sha512-SioSYx/uzVx7MV+EcVpxnatRs0Z1ALiY4yw+vq9YjkEZaCvj+48Jf66+ei/3NZ0+t+q4e/KY19xuo1vS5bRbsg==",
                "sha1": "5c1ee59d8392d81c30f3b9d171185889c9032a52"
            }
        }
    ],
    "evidence_files": [
        {
            "sha256": "307a0d991fcf5dd7b20b618874d5243b7191104c700371a295f59f614625a157",
            "tlsh": "f131313d72116228875775266df6d398bc344a23f3a2e81a454dd854a4fced0207eded",
            "path": "px.js"
        },
        {
            "sha256": "e56b65fd73cf103e019ce6676076751bcdad7827b621732895026fef72dcd115",
            "tlsh": "ac213312b405547243bde9c83c4e7c293277b82b93b3b258477511645ed2a047cb776d",
            "path": "update_px8my.sh"
        }
    ]
}
cwes
[
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/px8my/MAL-2026-10104.json"