registry  /  loadutils  /  1.0.6

loadutils@1.0.6

debug module using logfmt format

OSV Malicious Advisory

scanned 2h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-6580 confirms this npm version as malicious. Package `loadutils` is a typosquat of the widely-used webpack helper `loader-utils`. The shipped README documents the loader-utils API (`urlToRequest`, `interpolateName`, `getHashDigest`), but `src/index.js` instead exports a `debug`-style logger — name, documentation, and implementation do not align. On import, `src/index.js` executes `require('debug-glitzs')` at the top level, but `debug-glitzs` is not declared in...

Advisory
MAL-2026-6580
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in loadutils (npm)
Details
Package `loadutils` is a typosquat of the widely-used webpack helper `loader-utils`. The shipped README documents the loader-utils API (`urlToRequest`, `interpolateName`, `getHashDigest`), but `src/index.js` instead exports a `debug`-style logger — name, documentation, and implementation do not align. On import, `src/index.js` executes `require('debug-glitzs')` at the top level, but `debug-glitzs` is not declared in `dependencies`, `peerDependencies`, or `optionalDependencies`; whatever resolves to that name in the installer's tree runs in the Node.js process as soon as `loadutils` is required. `package.json` additionally declares `lessload@^1.0.1` as a runtime dependency that is never referenced in `src/` and is unrelated to either the logger code or the advertised loader-utils API, pulling further unaccounted code into the installer's dependency tree on `npm install`. The `contributors` metadata also impersonates a well-known maintainer (`Kiko Beats` paired with an unrelated homepage `alphacointech1010.com`), reinforcing the deceptive packaging.
Decision reason
OpenSSF Malicious Packages via OSV confirms loadutils@1.0.6 as malicious (MAL-2026-6580): Malicious code in loadutils (npm)

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

1 High
HighOsv Malicious Advisory