VDB
KO

MAL-2026-10105

Malicious code in pxpure8 (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (a40ae433e9fa90bfbb449d343c281375329a44c0dacf080a91a0c1717579b679) The package's main entry (pure.js) consists of a single behavior: it creates a <script> element pointing at https://cdn.jsdelivr.net/npm/px8my/px.js (no version pin) and appends it to document.head. When the module is required/imported in any browser-like environment (browser bundling, jsdom, Electron renderer), this causes arbitrary JavaScript from the unrelated `px8my` npm package — at whatever version its owner most recently published — to execute in the host page context. The destination is a different publisher's package, the version is unpinned (so the executed bytes are author-mutable at any time by a third party), and there is no documented purpose for this loader behavior. Package metadata reinforces the loader/lure shape: empty author, empty description, no repository, default test script — a throwaway package whose only function is to pull in remote third-party code. An installer that bundles or loads pxpure8 ends up shipping whatever px8my publishes, including any future malicious version, into their own application's execution context.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / pxpure8

No fixed version published yet for pxpure8 (npm). Pin to a known-safe version or switch to an alternative.

References