MAL-2026-10726
Malicious code in astro (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (949822741657acf4a6b9f6255a2f7a080ca1cc3343e9663020c5e21ce2a6b03c) This tarball is published as astro@7.1.0 but does not match the legitimate withastro/astro project (which is on the v5.x line and depends on picocolors, debug, and @astrojs/markdown-remark). The package.json declares dependencies on typosquat-shaped names on the same registry: piccolore, obug, and @astrojs/markdown-satteri. Core modules import these look-alikes unconditionally — dist/core/logger/node.js contains `import { createDebug, enable as obugEnable } from "obug"` and dist/cli/infra/piccolore-text-styler.js contains `import colors from "piccolore"` — so any `require('astro')` or CLI invocation causes those attacker-controlled packages to be resolved and executed inside the installer's node_modules tree. The version jump from the real 5.x line and the substitution of the standard utility dependencies with lookalike names indicate a registry impersonation of the astro framework, structured as a dependency-chain dropper.
Are you affected?
Enter the version of the package you're using.
Affected packages
No fixed version published yet for astro (npm). Pin to a known-safe version or switch to an alternative.