Supply-chain threat intelligence

Incident detail

criticalnpm·malware·osv

Malicious code in lusha-iam-widgets (npm)

lusha-iam-widgets

Risk score

92

AI summary

Indexed incident for lusha-iam-widgets (npm).

Description

package.json declares the node-fetch dependency pinned to a tarball URL on registry.ctzbg.com, a host unrelated to the npm registry and unrelated to any Lusha-owned infrastructure. On npm install, npm fetches and installs whatever that endpoint returns as node-fetch, running any lifecycle scripts of the fetched package on the installer's machine. The package's main component also imports node-fetch, so the attacker-controlled module executes at require time as well. The package name and stated purpose impersonate Lusha's B2B IAM tooling while the publisher (hlush) is unaffiliated, consistent with a dependency-confusion lure aimed at Lusha's internal build systems and any org that installs lusha-* packages.

Technical details

Affected versions

=1.5.2

Indicators

  • affected version=1.5.275%

Timeline

  1. Advisory published
  2. Indexed by ThreatPkg

Related incidents