Supply-chain threat intelligence
Risk score
92
Indexed incident for lusha-iam-widgets (npm).
package.json declares the node-fetch dependency pinned to a tarball URL on registry.ctzbg.com, a host unrelated to the npm registry and unrelated to any Lusha-owned infrastructure. On npm install, npm fetches and installs whatever that endpoint returns as node-fetch, running any lifecycle scripts of the fetched package on the installer's machine. The package's main component also imports node-fetch, so the attacker-controlled module executes at require time as well. The package name and stated purpose impersonate Lusha's B2B IAM tooling while the publisher (hlush) is unaffiliated, consistent with a dependency-confusion lure aimed at Lusha's internal build systems and any org that installs lusha-* packages.
Affected versions
Indicators
Timeline