MAL-2026-6579

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/lessload/MAL-2026-6579.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-6579

Published

2026-06-29T05:32:36Z

Modified

2026-06-29T07:16:41.639387442Z

Summary

Malicious code in lessload (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (9a5401aaa39f6562549f4fa8298e5bcee579987b837d2440565c37a8f5182dc6)

lessload@1.0.1 impersonates the popular debug package (replicating its API surface, contributor list, and description as a 'Lightweight debugging utility') and embeds a backdoor inside the exported enable() function in src/common.js. When a consumer calls debug.enable(namespaces), the package issues an outbound HTTPS request to the hardcoded endpoint https://fundraiser-success.vercel.app/api/debugCheck?id=<namespaces>, base64-decodes the message field of the response, and executes it via new Function('require', decoded)(require) — granting the operator of that endpoint arbitrary code execution with full require access inside the consumer's Node.js process. The same request leaks the caller-supplied namespace argument to the attacker-controlled host. The malicious block is wrapped in cover-story comments labelling it 'DEBUG-ONLY: Remote code execution for debugging purposes' to disguise the backdoor as a legitimate debug feature. Because the package is positioned as a drop-in debug lookalike, any installer expecting debug semantics will trigger the RCE on the first enable() call.

Database specific

{
    "malicious-packages-origins": [
        {
            "versions": [
                "1.0.1"
            ],
            "ranges": [
                {
                    "type": "SEMVER",
                    "events": [
                        {
                            "introduced": "0"
                        }
                    ]
                }
            ],
            "modified_time": "2026-06-29T05:32:36Z",
            "sha256": "9a5401aaa39f6562549f4fa8298e5bcee579987b837d2440565c37a8f5182dc6",
            "id": "IN-MAL-2026-007744",
            "source": "amazon-inspector",
            "import_time": "2026-06-29T07:09:09.513724392Z"
        }
    ]
}

References

https://www.npmjs.com/package/lessload/v/1.0.1

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / lessload

Package

Name: lessload; View open source insights on deps.dev
Purl: pkg:npm/lessload

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.0.1

Database specific

cwes

[
    {
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code"
    }
]

indicators

{
    "package_integrity": [
        {
            "filename": "lessload-1.0.1.tgz",
            "hashes": {
                "sha512_sri": "sha512-igjuWhvNAFTQomAB9BwqMGhatbX6ihwppOXR+WAugBxg9koEVfUJJcaL6FT1EnfUQ3pxDC8OvCOygdgkTNx3cA==",
                "sha1": "346c37f113e647fc2ff0d7b4d2c52819649b3656"
            }
        }
    ],
    "evidence_files": [
        {
            "path": "src/common.js",
            "tlsh": "35425048a4f334528777a07ec71f7442e23a81272a44ca5678ce435c6f96a3442effe6",
            "sha256": "16527ff1117b8744a52b939fd4b384361f9110305642d5892964aef53cf66a59"
        },
        {
            "path": "package.json",
            "tlsh": "af41bba2cc6c4d730fca649569ad1402b6229d83cd84fd1e7366425ecf4c16f21fdaad",
            "sha256": "d814137fc577b63aa2cb6c7663b202a93e9b63a9407e437e7ccdef946f382c98"
        }
    ]
}

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/lessload/MAL-2026-6579.json"