registry  /  px8my  /  1.0.32

px8my@1.0.32

OSV Malicious Advisory

scanned 3h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-10104 confirms this npm version as malicious. The package's main entry (px.js) is a browser-only script that creates a full-viewport iframe pointing at the hardcoded external URL https://mfmz.ywdyxn.cn/H.html?c=0gjr and appends it to document.body, hijacking any web page that loads this script via a CDN such as jsDelivr. The package ships no legitimate library API and would throw if require()'d in Node. The tarball also includes update_px8my.sh, an...

Advisory
MAL-2026-10104
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in px8my (npm)
Details
The package's main entry (px.js) is a browser-only script that creates a full-viewport iframe pointing at the hardcoded external URL https://mfmz.ywdyxn.cn/H.html?c=0gjr and appends it to document.body, hijacking any web page that loads this script via a CDN such as jsDelivr. The package ships no legitimate library API and would throw if require()'d in Node. The tarball also includes update_px8my.sh, an operator/rotation script that regex-replaces the redirect domain inside px.js, auto-bumps the patch version, runs npm publish, and then hits https://purge.jsdelivr.net/npm/px8my/px.js to force-refresh the CDN cache; a comment in that script notes that curl is blocked by the npm anti-abuse tool tirith. The combination — a hardcoded redirect payload plus a shipped domain-rotation/CDN-purge automation with an explicit anti-abuse-evasion note — establishes the package as a purpose-built malicious distribution vehicle abusing npm and jsDelivr to deliver browser redirects to end users of any site including this script.
Decision reason
No blocking static signals were detected.

Decision evidence

public snapshot
Behavioral surface
SourceNo risky source behavior triggered.
Supply chain
HighEntropyStringsMinifiedTrivial
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 1.50 KB of source

Source & flagged code

1 flagged · loading source
update_px8my.shView file
path = update_px8my.sh kind = build_helper sizeBytes = 1400 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

update_px8my.shView on unpkg

Findings

1 Medium2 Low
MediumShips Build Helperupdate_px8my.sh
LowScripts Present
LowHigh Entropy Strings