-= Per source details. Do not edit below this line.=-
package.json declares the node-fetch dependency pinned to a tarball URL on registry.ctzbg.com, a host unrelated to the npm registry and unrelated to any Lusha-owned infrastructure. On npm install, npm fetches and installs whatever that endpoint returns as node-fetch, running any lifecycle scripts of the fetched package on the installer's machine. The package's main component also imports node-fetch, so the attacker-controlled module executes at require time as well. The package name and stated purpose impersonate Lusha's B2B IAM tooling while the publisher (hlush) is unaffiliated, consistent with a dependency-confusion lure aimed at Lusha's internal build systems and any org that installs lusha-* packages.
{
"malicious-packages-origins": [
{
"modified_time": "2026-07-14T03:51:36Z",
"versions": [
"1.5.2"
],
"sha256": "46142505b88a255674663ced6e8bce8c8f3e28c0936e463e07463a7e1331e5af",
"id": "IN-MAL-2026-010382",
"source": "amazon-inspector",
"import_time": "2026-07-14T04:32:00.071232104Z"
}
]
}{
"evidence_files": [
{
"tlsh": "df21b825c4341de30ac911a5acbc2103b5a2484f98987c9837c3922c9f5e8ef31bdaad",
"sha256": "240e9530db299d4645bc8fc9abc51efa16d1ddc85ca540bcc6c83d6099ab9358",
"path": "package.json"
}
],
"package_integrity": [
{
"hashes": {
"sha1": "de6f7e7d7fc0111936003ca8ffc0cb360581fde2",
"sha512_sri": "sha512-Djf9HldK097x8TdMWj9dCM3bmrA46/2vVg7iwEHpJxbptQaadMMPxOfApyF2lTJBpx3QKo81E4WwNA6HO0i8Cg=="
},
"filename": "lusha-iam-widgets-1.5.2.tgz"
}
]
}
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/lusha-iam-widgets/MAL-2026-10533.json"