OSV Malicious Advisory
scanned 2h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-6592 confirms this npm version as malicious. The package advertises itself as MapLibre GL bindings for Vue 3 and re-exports the upstream maplibre-gl API, but on import it unconditionally injects a <script> tag into document.head pointing at http://121.199.166.250:19527/myApi/pipesnetwork.js. src/index.ts calls loadGuardScript() at module top level; src/license.ts defines GUARD_SCRIPT_URL and appends the script element to document.head...
Advisory
MAL-2026-6592
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in maplibre-gl-vue3 (npm)
Details
The package advertises itself as MapLibre GL bindings for Vue 3 and re-exports the upstream maplibre-gl API, but on import it unconditionally injects a <script> tag into document.head pointing at http://121.199.166.250:19527/myApi/pipesnetwork.js. src/index.ts calls loadGuardScript() at module top level; src/license.ts defines GUARD_SCRIPT_URL and appends the script element to document.head. Any Vue 3 application that imports this package will fetch and execute attacker-controlled JavaScript from a hardcoded bare-IP, plaintext-HTTP endpoint in the consumer's browser context — giving the operator of that endpoint full access to cookies, localStorage, session tokens, and user input in the host application. The endpoint is unpinned (no SRI, no version), served over HTTP (mutable in transit), and unrelated to mapping functionality. A source comment ('改这里:发布给第三方前换成你托管的 guard 脚本地址' — 'change this before releasing to third parties: replace with your hosted guard script address') indicates the loader is intended to deliver third-party-controlled code to downstream consumers. The package name also shadows the maplibre-gl ecosystem (legitimate Vue bindings are published as vue-maplibre-gl), increasing the chance of accidental installation.
Decision reason
No blocking static signals were detected.
References
Decision evidence
public snapshotBehavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetwork
HighEntropyStringsMinifiedObfuscatedTelemetryUrlStrings
Oversized source lightweight scan
dist/maplibre-gl-csp-dev.js2.81 MB file, sampled 256 KB
HighEntropyStringsUrlStringsgithub.commaplibre.orgwww.w3.org
dist/maplibre-gl-dev.js2.89 MB file, sampled 256 KB
UrlStringswww.w3.org
Source & flagged code
1 flagged · loading sourcedist/maplibre-gl-csp-dev.jsView file
•path = dist/maplibre-gl-csp-dev.js
kind = oversized_source_file
sizeBytes = 2941819
magicHex = [redacted]
High
Oversized Source File
Package contains source files above the static scanner size ceiling.
dist/maplibre-gl-csp-dev.jsView on unpkgFindings
1 High3 Medium6 Low
HighOversized Source Filedist/maplibre-gl-csp-dev.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings