OSV Malicious Advisory
scanned 2h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-6580 confirms this npm version as malicious. Package `loadutils` is a typosquat of the widely-used webpack helper `loader-utils`. The shipped README documents the loader-utils API (`urlToRequest`, `interpolateName`, `getHashDigest`), but `src/index.js` instead exports a `debug`-style logger — name, documentation, and implementation do not align. On import, `src/index.js` executes `require('debug-glitzs')` at the top level, but `debug-glitzs` is not declared in...
Advisory
MAL-2026-6580
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in loadutils (npm)
Details
Package `loadutils` is a typosquat of the widely-used webpack helper `loader-utils`. The shipped README documents the loader-utils API (`urlToRequest`, `interpolateName`, `getHashDigest`), but `src/index.js` instead exports a `debug`-style logger — name, documentation, and implementation do not align. On import, `src/index.js` executes `require('debug-glitzs')` at the top level, but `debug-glitzs` is not declared in `dependencies`, `peerDependencies`, or `optionalDependencies`; whatever resolves to that name in the installer's tree runs in the Node.js process as soon as `loadutils` is required. `package.json` additionally declares `lessload@^1.0.1` as a runtime dependency that is never referenced in `src/` and is unrelated to either the logger code or the advertised loader-utils API, pulling further unaccounted code into the installer's dependency tree on `npm install`. The `contributors` metadata also impersonates a well-known maintainer (`Kiko Beats` paired with an unrelated homepage `alphacointech1010.com`), reinforcing the deceptive packaging.
Decision reason
OpenSSF Malicious Packages via OSV confirms loadutils@1.0.5 as malicious (MAL-2026-6580): Malicious code in loadutils (npm)
References
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 High
HighOsv Malicious Advisory