OSV Malicious Advisory
scanned 5d ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-4616 confirms this npm version as malicious. package.json declares `"loadash": "^1.0.0"` as a runtime dependency. `loadash` is a well-known typosquat of `lodash` and is never required or imported anywhere in this package's source — the dependency is unused by the scanner itself. Every installer of this package pulls `loadash@^1.0.0` into their node_modules transitively, executing whatever code that namesquat ships...
Advisory
MAL-2026-4616
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in muaddib-scanner (npm)
Details
package.json declares `"loadash": "^1.0.0"` as a runtime dependency. `loadash` is a well-known typosquat of `lodash` and is never required or imported anywhere in this package's source — the dependency is unused by the scanner itself. Every installer of this package pulls `loadash@^1.0.0` into their node_modules transitively, executing whatever code that namesquat ships. The remaining static signals on this package (curl/ping/POST/child_process/https patterns across `src/scanner/`, `src/ioc/`, `src/rules/`, `src/ml/`, `src/sandbox/`) are consistent with the package's stated purpose (a supply-chain security scanner that inspects other packages' lifecycle scripts, fetches package metadata from `registry.npmjs.org`, and analyzes IOC patterns like `curl http://evil.com` as data); literal strings like `curl http://evil.com` and `$(whoami)` appear as detection rule examples, not as executed commands. The block is on the namespace-abuse vector — a security tool has no legitimate reason to ship an unused typosquat dependency, and installers should not silently acquire it.
Decision reason
OSV/OpenSSF confirms muaddib-scanner@2.11.41 as malicious package MAL-2026-4616. Malicious code in muaddib-scanner (npm)
References
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 High
HighOsv Malicious Advisory