OSV Malicious Advisory
scanned 2h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-10533 confirms this npm version as malicious. package.json declares the `node-fetch` dependency pinned to a tarball URL on `registry.ctzbg.com`, a host unrelated to the npm registry and unrelated to any Lusha-owned infrastructure. On `npm install`, npm fetches and installs whatever that endpoint returns as `node-fetch`, running any lifecycle scripts of the fetched package on the installer's machine...
Advisory
MAL-2026-10533
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in lusha-iam-widgets (npm)
Details
package.json declares the `node-fetch` dependency pinned to a tarball URL on `registry.ctzbg.com`, a host unrelated to the npm registry and unrelated to any Lusha-owned infrastructure. On `npm install`, npm fetches and installs whatever that endpoint returns as `node-fetch`, running any lifecycle scripts of the fetched package on the installer's machine. The package's main component also `import`s `node-fetch`, so the attacker-controlled module executes at require time as well. The package name and stated purpose impersonate Lusha's B2B IAM tooling while the publisher (`hlush`) is unaffiliated, consistent with a dependency-confusion lure aimed at Lusha's internal build systems and any org that installs `lusha-*` packages.
Decision reason
No blocking static signals were detected.
References
Decision evidence
public snapshotBehavioral surface
HighEntropyStrings
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
2 Low
LowScripts Present
LowHigh Entropy Strings