MAL-2026-6580

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (31f1f1f6292d782062f6fff1f7422d9f1dc0eb1572e4372d6c0d574ccea3ab3a) Package `loadutils` is a typosquat of the widely-used webpack helper `loader-utils`. The shipped README documents the loader-utils API (`urlToRequest`, `interpolateName`, `getHashDigest`), but `src/index.js` instead exports a `debug`-style logger — name, documentation, and implementation do not align. On import, `src/index.js` executes `require('debug-glitzs')` at the top level, but `debug-glitzs` is not declared in `dependencies`, `peerDependencies`, or `optionalDependencies`; whatever resolves to that name in the installer's tree runs in the Node.js process as soon as `loadutils` is required. `package.json` additionally declares `lessload@^1.0.1` as a runtime dependency that is never referenced in `src/` and is unrelated to either the logger code or the advertised loader-utils API, pulling further unaccounted code into the installer's dependency tree on `npm install`. The `contributors` metadata also impersonates a well-known maintainer (`Kiko Beats` paired with an unrelated homepage `alphacointech1010.com`), reinforcing the deceptive packaging.