Supply-chain threat intelligence

Incident detail

criticalnpm·typosquatting·osv

Malicious code in loadutils (npm)

loadutils

Risk score

92

AI summary

Indexed incident for loadutils (npm).

Description

Package loadutils is a typosquat of the widely-used webpack helper loader-utils. The shipped README documents the loader-utils API (urlToRequest, interpolateName, getHashDigest), but src/index.js instead exports a debug-style logger — name, documentation, and implementation do not align. On import, src/index.js executes require('debug-glitzs') at the top level, but debug-glitzs is not declared in dependencies, peerDependencies, or optionalDependencies; whatever resolves to that name in the installer's tree runs in the Node.js process as soon as loadutils is required. package.json additionally declares lessload@^1.0.1 as a runtime dependency that is never referenced in src/ and is unrelated to either the logger code or the advertised loader-utils API, pulling further unaccounted code into the installer's dependency tree on npm install. The contributors metadata also impersonates a well-known maintainer (Kiko Beats paired with an unrelated homepage alphacointech1010.com), reinforcing the deceptive packaging.

Technical details

Affected versions

=1.0.4=1.0.5=1.0.6>=0

Indicators

  • affected version=1.0.475%
  • affected version=1.0.575%
  • affected version=1.0.675%
  • affected version>=075%

Timeline

  1. Advisory published
  2. Indexed by ThreatPkg

Related incidents