VDB
KO

MAL-2026-10533

Malicious code in lusha-iam-widgets (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (46142505b88a255674663ced6e8bce8c8f3e28c0936e463e07463a7e1331e5af) package.json declares the `node-fetch` dependency pinned to a tarball URL on `registry.ctzbg.com`, a host unrelated to the npm registry and unrelated to any Lusha-owned infrastructure. On `npm install`, npm fetches and installs whatever that endpoint returns as `node-fetch`, running any lifecycle scripts of the fetched package on the installer's machine. The package's main component also `import`s `node-fetch`, so the attacker-controlled module executes at require time as well. The package name and stated purpose impersonate Lusha's B2B IAM tooling while the publisher (`hlush`) is unaffiliated, consistent with a dependency-confusion lure aimed at Lusha's internal build systems and any org that installs `lusha-*` packages.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / lusha-iam-widgets

No fixed version published yet for lusha-iam-widgets (npm). Pin to a known-safe version or switch to an alternative.

References