MAL-2026-10088
Malicious code in lovable-tager (npm)
상세
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (0f100c9dbac6f2e352e559d0eb06f573e971845cc083b80c61f211013e03973a) `lovable-tager` is a single-character-deletion typosquat of the legitimate Vite plugin `lovable-tagger`. The ESM entry `dist/index.js` (referenced by `main`) contains the clean plugin code followed by ~6 KB of tab padding and then an appended obfuscator.io-style permutation-obfuscated IIFE. On module load, the IIFE assigns `global.require`, `global.__dirname`, and `global.__filename`, derives `Function` via a deshuffled `constructor` lookup, constructs a new Function from an obfuscated string body, and immediately invokes it. The sibling CJS build `dist/index.cjs`, produced from the same source, contains only the clean plugin code with no such trailer — indicating the payload was smuggled into the published tarball after the normal build ran, hidden behind tab padding that suppresses it in most editors and diff views. Any project that adds the mistyped name to its Vite config executes attacker-controlled code inside the developer's Node process at plugin-load time, with the ability to reach `require`, the filesystem, and the network of the build host.
이 버전이 영향받나요?
사용 중인 패키지 버전을 입력하면 즉시 평가합니다.
영향 패키지
No fixed version published yet for lovable-tager (npm). Pin to a known-safe version or switch to an alternative.