MAL-2026-10105

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/pxpure8/MAL-2026-10105.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10105
Published
2026-07-09T23:09:27Z
Modified
2026-07-09T23:47:00.183795953Z
Summary
Malicious code in pxpure8 (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (a40ae433e9fa90bfbb449d343c281375329a44c0dacf080a91a0c1717579b679)

The package's main entry (pure.js) consists of a single behavior: it creates a <script> element pointing at https://cdn.jsdelivr.net/npm/px8my/px.js (no version pin) and appends it to document.head. When the module is required/imported in any browser-like environment (browser bundling, jsdom, Electron renderer), this causes arbitrary JavaScript from the unrelated px8my npm package — at whatever version its owner most recently published — to execute in the host page context. The destination is a different publisher's package, the version is unpinned (so the executed bytes are author-mutable at any time by a third party), and there is no documented purpose for this loader behavior. Package metadata reinforces the loader/lure shape: empty author, empty description, no repository, default test script — a throwaway package whose only function is to pull in remote third-party code. An installer that bundles or loads pxpure8 ends up shipping whatever px8my publishes, including any future malicious version, into their own application's execution context.

Database specific
{
    "malicious-packages-origins": [
        {
            "versions": [
                "1.0.2"
            ],
            "id": "IN-MAL-2026-009600",
            "import_time": "2026-07-09T23:30:56.316754416Z",
            "modified_time": "2026-07-09T23:09:27Z",
            "sha256": "a40ae433e9fa90bfbb449d343c281375329a44c0dacf080a91a0c1717579b679",
            "source": "amazon-inspector"
        }
    ]
}
References
Credits

Affected packages

npm / pxpure8

Package

Affected ranges

Affected versions

1.*
1.0.2

Database specific

indicators
{
    "package_integrity": [
        {
            "filename": "pxpure8-1.0.2.tgz",
            "hashes": {
                "sha512_sri": "sha512-zl6TenA1lLpGO7wunk6KDGbob6qNgimLoIVewUIlR3hzBjndpQMNxDnGgYH6IcpXQqqJX5yy4LERiTYtk3oeTA==",
                "sha1": "5586296c2a656fb3fecefc2b98dce1dc0dde7d2e"
            }
        }
    ],
    "evidence_files": [
        {
            "sha256": "86002d8a49e829ca7d529eb48e10f7f27c46269556ba67667fd1314a40e4fc9c",
            "tlsh": "e1c0806a651575344255509d3037d6b478f3112965119181456ddc190d61d811c5fc90",
            "path": "pure.js"
        },
        {
            "tlsh": "e4d0a7141961953315c455260e399153b721df5f00547c0d57cf282c52cfa736cfa30d",
            "sha256": "4281502bbb94b3de31549000e2a3b17652df7c1dcaacb3232a2ced75384aa5eb",
            "path": "package.json"
        }
    ]
}
cwes
[
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/pxpure8/MAL-2026-10105.json"