-= Per source details. Do not edit below this line.=-
The package ships a single index.html (declared as main) whose only behavior is to fetch https://bitbucket.org/p2p-alt-public/p2p-emis/raw/main/GameWebSight from a mutable third-party branch and inject the response into the DOM via document.open/document.write/document.close. The fetched bytes are unpinned, unverified, and executed as HTML+JavaScript in the browser of anyone who loads the page. The loader is paired with anti-inspection handlers that suppress F12, Ctrl+Shift+I/J/C, Ctrl+U, Ctrl+S, and right-click, and with an interaction gate that only triggers the fetch after a real mousemove/click/keydown — otherwise it renders 'Blocked'. The combination of an external mutable-branch payload, no integrity verification, DevTools/view-source suppression, and a human-interaction sandbox-evasion gate is the dropper-loader pattern: the actual code executed in the visitor's browser is whatever the third-party repository owner chooses to publish at any moment.
Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
{
"malicious-packages-origins": [
{
"source": "ghsa-malware",
"sha256": "dc402f9d8e63016f89d3140a00c59d5e84d0c71eac453a83dac2858558760d5d",
"import_time": "2026-07-16T09:02:00.001820894Z",
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
}
]
}
],
"id": "GHSA-wp48-4xqv-v7fq",
"modified_time": "2026-07-16T08:13:04Z"
},
{
"id": "IN-MAL-2026-010791",
"sha256": "cd229ca4e2277c5d48e5094c928e156292a44c3b7371ebbf749ef13a08b2fb42",
"modified_time": "2026-07-16T18:48:24Z",
"versions": [
"2.1.7"
],
"source": "amazon-inspector",
"import_time": "2026-07-16T18:54:05.091855704Z"
},
{
"id": "IN-MAL-2026-010792",
"sha256": "e9578c2db9f9fd58bb7b743e3ca8581aa21f4632bb965dcb53b7a4aaa02e5667",
"modified_time": "2026-07-16T18:48:32Z",
"versions": [
"2.1.3"
],
"source": "amazon-inspector",
"import_time": "2026-07-16T18:54:05.126700826Z"
},
{
"source": "amazon-inspector",
"sha256": "0d62782496cf71627f79c57bd660be03b2161ab646d82139923d84ca17adf8a3",
"import_time": "2026-07-16T18:54:04.960023693Z",
"modified_time": "2026-07-16T18:47:57Z",
"id": "IN-MAL-2026-010788",
"versions": [
"2.1.6"
]
},
{
"id": "IN-MAL-2026-010790",
"sha256": "ab2a56b22929c62b081ce423598550f6de633fdd603a60afa0ed88953a4af52d",
"modified_time": "2026-07-16T18:48:16Z",
"versions": [
"2.1.2"
],
"source": "amazon-inspector",
"import_time": "2026-07-16T18:54:05.063042084Z"
}
]
}[
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
},
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
},
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
},
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
},
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
}
]
{
"evidence_files": [
{
"tlsh": "76f0ac1a00bd007105aa507643dfb0257c666a232686dd8639cc021c4fcd5e3c4efde0",
"sha256": "d53e4f31a86d9613cebd40bfbf6d3c29b00fc5655d4843d57c737207f91770ca",
"path": "index.js"
},
{
"tlsh": "3ee0c21459a2942319c4aa220d9da442a761de6f10503d0d67cf242c82ee67769fe35c",
"sha256": "a87e5c962cf8ab68276d33e7b8182e3f1b3d7faa530dd82c0f2b7212e4d01b48",
"path": "package.json"
}
]
}
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/loader1/MAL-2026-10696.json"