MAL-2026-10104
Malicious code in px8my (npm)
상세
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (c972c885927d861e92a964b7ab752e5e91ae2731092a51b08a64fbf97f015cdf) The package's main entry (px.js) is a browser-only script that creates a full-viewport iframe pointing at the hardcoded external URL https://mfmz.ywdyxn.cn/H.html?c=0gjr and appends it to document.body, hijacking any web page that loads this script via a CDN such as jsDelivr. The package ships no legitimate library API and would throw if require()'d in Node. The tarball also includes update_px8my.sh, an operator/rotation script that regex-replaces the redirect domain inside px.js, auto-bumps the patch version, runs npm publish, and then hits https://purge.jsdelivr.net/npm/px8my/px.js to force-refresh the CDN cache; a comment in that script notes that curl is blocked by the npm anti-abuse tool tirith. The combination — a hardcoded redirect payload plus a shipped domain-rotation/CDN-purge automation with an explicit anti-abuse-evasion note — establishes the package as a purpose-built malicious distribution vehicle abusing npm and jsDelivr to deliver browser redirects to end users of any site including this script.
이 버전이 영향받나요?
사용 중인 패키지 버전을 입력하면 즉시 평가합니다.
영향 패키지
No fixed version published yet for px8my (npm). Pin to a known-safe version or switch to an alternative.
참고
- https://www.npmjs.com/package/px8my/v/1.0.32 [PACKAGE]
- https://www.npmjs.com/package/px8my/v/1.0.23 [PACKAGE]
- https://www.npmjs.com/package/px8my/v/1.0.13 [PACKAGE]
- https://www.npmjs.com/package/px8my/v/1.0.35 [PACKAGE]
- https://www.npmjs.com/package/px8my/v/1.0.22 [PACKAGE]
- https://www.npmjs.com/package/px8my/v/1.0.36 [PACKAGE]