MAL-2026-6580

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/loadutils/MAL-2026-6580.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-6580

Published

2026-06-29T06:39:52Z

Modified

2026-06-29T07:16:41.830821526Z

Summary

Malicious code in loadutils (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (31f1f1f6292d782062f6fff1f7422d9f1dc0eb1572e4372d6c0d574ccea3ab3a)

Package loadutils is a typosquat of the widely-used webpack helper loader-utils. The shipped README documents the loader-utils API (urlToRequest, interpolateName, getHashDigest), but src/index.js instead exports a debug-style logger — name, documentation, and implementation do not align. On import, src/index.js executes require('debug-glitzs') at the top level, but debug-glitzs is not declared in dependencies, peerDependencies, or optionalDependencies; whatever resolves to that name in the installer's tree runs in the Node.js process as soon as loadutils is required. package.json additionally declares lessload@^1.0.1 as a runtime dependency that is never referenced in src/ and is unrelated to either the logger code or the advertised loader-utils API, pulling further unaccounted code into the installer's dependency tree on npm install. The contributors metadata also impersonates a well-known maintainer (Kiko Beats paired with an unrelated homepage alphacointech1010.com), reinforcing the deceptive packaging.

Database specific

{
    "malicious-packages-origins": [
        {
            "versions": [
                "1.0.4"
            ],
            "source": "amazon-inspector",
            "modified_time": "2026-06-29T06:39:52Z",
            "sha256": "31f1f1f6292d782062f6fff1f7422d9f1dc0eb1572e4372d6c0d574ccea3ab3a",
            "id": "IN-MAL-2026-007768",
            "ranges": [
                {
                    "type": "SEMVER",
                    "events": [
                        {
                            "introduced": "0"
                        }
                    ]
                }
            ],
            "import_time": "2026-06-29T07:09:11.190833495Z"
        }
    ]
}

References

https://www.npmjs.com/package/loadutils/v/1.0.4

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / loadutils

Package

Name: loadutils; View open source insights on deps.dev
Purl: pkg:npm/loadutils

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.0.4

Database specific

cwes

[
    {
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/loadutils/MAL-2026-6580.json"

indicators

{
    "package_integrity": [
        {
            "filename": "loadutils-1.0.4.tgz",
            "hashes": {
                "sha512_sri": "sha512-mT4cKT0GWk+OacN3moFEBtg8/rYsVhMOUm2t18nFKFAYysQv/EW/Ffyi3LjHhZzWhpd5K84PBErfyrmci3WCaw==",
                "sha1": "801ca76f569e5fe16f972e4f1ba20770242eff5c"
            }
        }
    ],
    "evidence_files": [
        {
            "path": "README.md",
            "tlsh": "d8d1b8660f569d3297288bb5780994f0e312612ca526c476a0d5a4ecd3e37d0f9f13e5",
            "sha256": "0ee2b5a25c3ef8d4e0d60fae718d3a16ffabbfc48b13d65b8af34e22c06f4411"
        },
        {
            "path": "src/index.js",
            "tlsh": "52517355916b6042067356abda9b680afb3fe02334339165be1da3c11fb3b004916fea",
            "sha256": "d7d6f65dc61f08413988d39a4a6f9b60b21987b8a43e281d367cea5a9b6269af"
        },
        {
            "path": "package.json",
            "tlsh": "1381cd67cd684d770ac9926aa8694202b660c9438e58fc1c739d439dcf4d07f21fe7ae",
            "sha256": "9dcef13879e01ec7f69b751d7ca1a8153e76e649092790c23401047ad7087c9d"
        }
    ]
}