MAL-2026-10533
Malicious code in lusha-iam-widgets (npm)
상세
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (46142505b88a255674663ced6e8bce8c8f3e28c0936e463e07463a7e1331e5af) package.json declares the `node-fetch` dependency pinned to a tarball URL on `registry.ctzbg.com`, a host unrelated to the npm registry and unrelated to any Lusha-owned infrastructure. On `npm install`, npm fetches and installs whatever that endpoint returns as `node-fetch`, running any lifecycle scripts of the fetched package on the installer's machine. The package's main component also `import`s `node-fetch`, so the attacker-controlled module executes at require time as well. The package name and stated purpose impersonate Lusha's B2B IAM tooling while the publisher (`hlush`) is unaffiliated, consistent with a dependency-confusion lure aimed at Lusha's internal build systems and any org that installs `lusha-*` packages.
이 버전이 영향받나요?
사용 중인 패키지 버전을 입력하면 즉시 평가합니다.
영향 패키지
No fixed version published yet for lusha-iam-widgets (npm). Pin to a known-safe version or switch to an alternative.