-= Per source details. Do not edit below this line.=-
The package's main entry (pure.js) consists of a single behavior: it creates a <script> element pointing at https://cdn.jsdelivr.net/npm/px8my/px.js (no version pin) and appends it to document.head. When the module is required/imported in any browser-like environment (browser bundling, jsdom, Electron renderer), this causes arbitrary JavaScript from the unrelated px8my npm package — at whatever version its owner most recently published — to execute in the host page context. The destination is a different publisher's package, the version is unpinned (so the executed bytes are author-mutable at any time by a third party), and there is no documented purpose for this loader behavior. Package metadata reinforces the loader/lure shape: empty author, empty description, no repository, default test script — a throwaway package whose only function is to pull in remote third-party code. An installer that bundles or loads pxpure8 ends up shipping whatever px8my publishes, including any future malicious version, into their own application's execution context.
{
"malicious-packages-origins": [
{
"versions": [
"1.0.2"
],
"id": "IN-MAL-2026-009600",
"import_time": "2026-07-09T23:30:56.316754416Z",
"modified_time": "2026-07-09T23:09:27Z",
"sha256": "a40ae433e9fa90bfbb449d343c281375329a44c0dacf080a91a0c1717579b679",
"source": "amazon-inspector"
}
]
}{
"package_integrity": [
{
"filename": "pxpure8-1.0.2.tgz",
"hashes": {
"sha512_sri": "sha512-zl6TenA1lLpGO7wunk6KDGbob6qNgimLoIVewUIlR3hzBjndpQMNxDnGgYH6IcpXQqqJX5yy4LERiTYtk3oeTA==",
"sha1": "5586296c2a656fb3fecefc2b98dce1dc0dde7d2e"
}
}
],
"evidence_files": [
{
"sha256": "86002d8a49e829ca7d529eb48e10f7f27c46269556ba67667fd1314a40e4fc9c",
"tlsh": "e1c0806a651575344255509d3037d6b478f3112965119181456ddc190d61d811c5fc90",
"path": "pure.js"
},
{
"tlsh": "e4d0a7141961953315c455260e399153b721df5f00547c0d57cf282c52cfa736cfa30d",
"sha256": "4281502bbb94b3de31549000e2a3b17652df7c1dcaacb3232a2ced75384aa5eb",
"path": "package.json"
}
]
}
[
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
}
]
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/pxpure8/MAL-2026-10105.json"