registry  /  maplibre-gl-vue3  /  5.24.2

maplibre-gl-vue3@5.24.2

OSV Malicious Advisory

scanned 2h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-6592 confirms this npm version as malicious. The package advertises itself as MapLibre GL bindings for Vue 3 and re-exports the upstream maplibre-gl API, but on import it unconditionally injects a <script> tag into document.head pointing at http://121.199.166.250:19527/myApi/pipesnetwork.js. src/index.ts calls loadGuardScript() at module top level; src/license.ts defines GUARD_SCRIPT_URL and appends the script element to document.head...

Advisory
MAL-2026-6592
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in maplibre-gl-vue3 (npm)
Details
The package advertises itself as MapLibre GL bindings for Vue 3 and re-exports the upstream maplibre-gl API, but on import it unconditionally injects a <script> tag into document.head pointing at http://121.199.166.250:19527/myApi/pipesnetwork.js. src/index.ts calls loadGuardScript() at module top level; src/license.ts defines GUARD_SCRIPT_URL and appends the script element to document.head. Any Vue 3 application that imports this package will fetch and execute attacker-controlled JavaScript from a hardcoded bare-IP, plaintext-HTTP endpoint in the consumer's browser context — giving the operator of that endpoint full access to cookies, localStorage, session tokens, and user input in the host application. The endpoint is unpinned (no SRI, no version), served over HTTP (mutable in transit), and unrelated to mapping functionality. A source comment ('改这里:发布给第三方前换成你托管的 guard 脚本地址' — 'change this before releasing to third parties: replace with your hosted guard script address') indicates the loader is intended to deliver third-party-controlled code to downstream consumers. The package name also shadows the maplibre-gl ecosystem (legitimate Vue bindings are published as vue-maplibre-gl), increasing the chance of accidental installation.
Decision reason
No blocking static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsMinifiedObfuscatedTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 595 file(s), 8.74 MB of source, external domains: demotiles.maplibre.org, developer.mozilla.org, en.wikipedia.org, example.com, example2.com, foo.maplibre.org, github.com, maplibre.org, medium.com, somewhere.com, tiles.server, unpkg.com, upload.wikimedia.org, www.bing.com, www.foo.com, www.w3.org
Oversized source lightweight scan
dist/maplibre-gl-csp-dev.js2.81 MB file, sampled 256 KB
HighEntropyStringsUrlStringsgithub.commaplibre.orgwww.w3.org
dist/maplibre-gl-dev.js2.89 MB file, sampled 256 KB
UrlStringswww.w3.org

Source & flagged code

1 flagged · loading source
dist/maplibre-gl-csp-dev.jsView file
path = dist/maplibre-gl-csp-dev.js kind = oversized_source_file sizeBytes = 2941819 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/maplibre-gl-csp-dev.jsView on unpkg

Findings

1 High3 Medium6 Low
HighOversized Source Filedist/maplibre-gl-csp-dev.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings