MAL-2026-10533

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/lusha-iam-widgets/MAL-2026-10533.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10533
Published
2026-07-14T03:51:36Z
Modified
2026-07-14T04:46:57.600970725Z
Summary
Malicious code in lusha-iam-widgets (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (46142505b88a255674663ced6e8bce8c8f3e28c0936e463e07463a7e1331e5af)

package.json declares the node-fetch dependency pinned to a tarball URL on registry.ctzbg.com, a host unrelated to the npm registry and unrelated to any Lusha-owned infrastructure. On npm install, npm fetches and installs whatever that endpoint returns as node-fetch, running any lifecycle scripts of the fetched package on the installer's machine. The package's main component also imports node-fetch, so the attacker-controlled module executes at require time as well. The package name and stated purpose impersonate Lusha's B2B IAM tooling while the publisher (hlush) is unaffiliated, consistent with a dependency-confusion lure aimed at Lusha's internal build systems and any org that installs lusha-* packages.

Database specific
{
    "malicious-packages-origins": [
        {
            "modified_time": "2026-07-14T03:51:36Z",
            "versions": [
                "1.5.2"
            ],
            "sha256": "46142505b88a255674663ced6e8bce8c8f3e28c0936e463e07463a7e1331e5af",
            "id": "IN-MAL-2026-010382",
            "source": "amazon-inspector",
            "import_time": "2026-07-14T04:32:00.071232104Z"
        }
    ]
}
References
Credits

Affected packages

npm / lusha-iam-widgets

Package

Affected ranges

Affected versions

1.*
1.5.2

Database specific

indicators
{
    "evidence_files": [
        {
            "tlsh": "df21b825c4341de30ac911a5acbc2103b5a2484f98987c9837c3922c9f5e8ef31bdaad",
            "sha256": "240e9530db299d4645bc8fc9abc51efa16d1ddc85ca540bcc6c83d6099ab9358",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha1": "de6f7e7d7fc0111936003ca8ffc0cb360581fde2",
                "sha512_sri": "sha512-Djf9HldK097x8TdMWj9dCM3bmrA46/2vVg7iwEHpJxbptQaadMMPxOfApyF2lTJBpx3QKo81E4WwNA6HO0i8Cg=="
            },
            "filename": "lusha-iam-widgets-1.5.2.tgz"
        }
    ]
}
cwes
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/lusha-iam-widgets/MAL-2026-10533.json"