Supply-chain threat intelligence
Risk score
92
Indexed incident for loadutils (npm).
Package loadutils is a typosquat of the widely-used webpack helper loader-utils. The shipped README documents the loader-utils API (urlToRequest, interpolateName, getHashDigest), but src/index.js instead exports a debug-style logger — name, documentation, and implementation do not align. On import, src/index.js executes require('debug-glitzs') at the top level, but debug-glitzs is not declared in dependencies, peerDependencies, or optionalDependencies; whatever resolves to that name in the installer's tree runs in the Node.js process as soon as loadutils is required. package.json additionally declares lessload@^1.0.1 as a runtime dependency that is never referenced in src/ and is unrelated to either the logger code or the advertised loader-utils API, pulling further unaccounted code into the installer's dependency tree on npm install. The contributors metadata also impersonates a well-known maintainer (Kiko Beats paired with an unrelated homepage alphacointech1010.com), reinforcing the deceptive packaging.
Affected versions
Indicators
Timeline