registry  /  loader1  /  2.1.7

loader1@2.1.7

OSV Malicious Advisory

scanned 14h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-10696 confirms this npm version as malicious. The package ships a single index.html (declared as main) whose only behavior is to fetch https://bitbucket.org/p2p-alt-public/p2p-emis/raw/main/GameWebSight from a mutable third-party branch and inject the response into the DOM via document.open/document.write/document.close. The fetched bytes are unpinned, unverified, and executed as HTML+JavaScript in the browser of anyone who loads the page...

Advisory
MAL-2026-10696
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in loader1 (npm)
Details
The package ships a single index.html (declared as main) whose only behavior is to fetch https://bitbucket.org/p2p-alt-public/p2p-emis/raw/main/GameWebSight from a mutable third-party branch and inject the response into the DOM via document.open/document.write/document.close. The fetched bytes are unpinned, unverified, and executed as HTML+JavaScript in the browser of anyone who loads the page. The loader is paired with anti-inspection handlers that suppress F12, Ctrl+Shift+I/J/C, Ctrl+U, Ctrl+S, and right-click, and with an interaction gate that only triggers the fetch after a real mousemove/click/keydown — otherwise it renders 'Blocked'. The combination of an external mutable-branch payload, no integrity verification, DevTools/view-source suppression, and a human-interaction sandbox-evasion gate is the dropper-loader pattern: the actual code executed in the visitor's browser is whatever the third-party repository owner chooses to publish at any moment. ## Source: ghsa-malware (dc402f9d8e63016f89d3140a00c59d5e84d0c71eac453a83dac2858558760d5d) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
Decision reason
OpenSSF Malicious Packages via OSV confirms loader1@2.1.7 as malicious (MAL-2026-10696): Malicious code in loader1 (npm)

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

1 High
HighOsv Malicious Advisory