registry  /  lusha-iam-widgets  /  1.5.2

lusha-iam-widgets@1.5.2

A React-based UI package for integrating IAM widgets into your application

OSV Malicious Advisory

scanned 2h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-10533 confirms this npm version as malicious. package.json declares the `node-fetch` dependency pinned to a tarball URL on `registry.ctzbg.com`, a host unrelated to the npm registry and unrelated to any Lusha-owned infrastructure. On `npm install`, npm fetches and installs whatever that endpoint returns as `node-fetch`, running any lifecycle scripts of the fetched package on the installer's machine...

Advisory
MAL-2026-10533
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in lusha-iam-widgets (npm)
Details
package.json declares the `node-fetch` dependency pinned to a tarball URL on `registry.ctzbg.com`, a host unrelated to the npm registry and unrelated to any Lusha-owned infrastructure. On `npm install`, npm fetches and installs whatever that endpoint returns as `node-fetch`, running any lifecycle scripts of the fetched package on the installer's machine. The package's main component also `import`s `node-fetch`, so the attacker-controlled module executes at require time as well. The package name and stated purpose impersonate Lusha's B2B IAM tooling while the publisher (`hlush`) is unaffiliated, consistent with a dependency-confusion lure aimed at Lusha's internal build systems and any org that installs `lusha-*` packages.
Decision reason
No blocking static signals were detected.

Decision evidence

public snapshot
Behavioral surface
SourceNo risky source behavior triggered.
Supply chain
HighEntropyStrings
ManifestNo manifest risk signals triggered.
scanned 4 file(s), 5.18 KB of source

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

2 Low
LowScripts Present
LowHigh Entropy Strings