MAL-2026-10104
Malicious code in px8my (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (c972c885927d861e92a964b7ab752e5e91ae2731092a51b08a64fbf97f015cdf) The package's main entry (px.js) is a browser-only script that creates a full-viewport iframe pointing at the hardcoded external URL https://mfmz.ywdyxn.cn/H.html?c=0gjr and appends it to document.body, hijacking any web page that loads this script via a CDN such as jsDelivr. The package ships no legitimate library API and would throw if require()'d in Node. The tarball also includes update_px8my.sh, an operator/rotation script that regex-replaces the redirect domain inside px.js, auto-bumps the patch version, runs npm publish, and then hits https://purge.jsdelivr.net/npm/px8my/px.js to force-refresh the CDN cache; a comment in that script notes that curl is blocked by the npm anti-abuse tool tirith. The combination — a hardcoded redirect payload plus a shipped domain-rotation/CDN-purge automation with an explicit anti-abuse-evasion note — establishes the package as a purpose-built malicious distribution vehicle abusing npm and jsDelivr to deliver browser redirects to end users of any site including this script.
Are you affected?
Enter the version of the package you're using.
Affected packages
No fixed version published yet for px8my (npm). Pin to a known-safe version or switch to an alternative.
References
- https://www.npmjs.com/package/px8my/v/1.0.32 [PACKAGE]
- https://www.npmjs.com/package/px8my/v/1.0.23 [PACKAGE]
- https://www.npmjs.com/package/px8my/v/1.0.13 [PACKAGE]
- https://www.npmjs.com/package/px8my/v/1.0.35 [PACKAGE]
- https://www.npmjs.com/package/px8my/v/1.0.22 [PACKAGE]
- https://www.npmjs.com/package/px8my/v/1.0.36 [PACKAGE]