registry  /  lovable-tager  /  1.4.0

lovable-tager@1.4.0

OSV Malicious Advisory

scanned 4h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-10088 confirms this npm version as malicious. `lovable-tager` is a single-character-deletion typosquat of the legitimate Vite plugin `lovable-tagger`. The ESM entry `dist/index.js` (referenced by `main`) contains the clean plugin code followed by ~6 KB of tab padding and then an appended obfuscator.io-style permutation-obfuscated IIFE. On module load, the IIFE assigns `global.require`, `global.__dirname`, and `global.__filename`, derives `Function` via a...

Advisory
MAL-2026-10088
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in lovable-tager (npm)
Details
`lovable-tager` is a single-character-deletion typosquat of the legitimate Vite plugin `lovable-tagger`. The ESM entry `dist/index.js` (referenced by `main`) contains the clean plugin code followed by ~6 KB of tab padding and then an appended obfuscator.io-style permutation-obfuscated IIFE. On module load, the IIFE assigns `global.require`, `global.__dirname`, and `global.__filename`, derives `Function` via a deshuffled `constructor` lookup, constructs a new Function from an obfuscated string body, and immediately invokes it. The sibling CJS build `dist/index.cjs`, produced from the same source, contains only the clean plugin code with no such trailer — indicating the payload was smuggled into the published tarball after the normal build ran, hidden behind tab padding that suppresses it in most editors and diff views. Any project that adds the mistyped name to its Vite config executes attacker-controlled code inside the developer's Node process at plugin-load time, with the ability to reach `require`, the filesystem, and the network of the build host.
Decision reason
OpenSSF Malicious Packages via OSV confirms lovable-tager@1.4.0 as malicious (MAL-2026-10088): Malicious code in lovable-tager (npm)

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

1 High
HighOsv Malicious Advisory