MAL-2026-10105: Malicious code in pxpure8 (npm)
The npm package pxpure8 version 1.0.2 contains malicious code that dynamically loads and executes arbitrary JavaScript from a third-party package px8my via an unpinned URL. This behavior occurs when pxpure8 is imported or required in browser-like environments, causing untrusted code to run in the host application's context. The package has no legitimate metadata or repository, indicating it is a throwaway package designed solely to load remote code. This creates a supply chain risk where any future malicious updates to px8my can be automatically executed by applications bundling pxpure8.
AI Analysis
Technical Summary
The pxpure8 npm package (version 1.0.2) includes a main script that injects a <script> element pointing to https://cdn.jsdelivr.net/npm/px8my/px.js without version pinning. This causes arbitrary JavaScript from the unrelated px8my package to execute in the context of any browser-like environment that imports pxpure8. The unpinned dependency allows the px8my package owner to change the executed code at any time, potentially introducing malicious behavior. The lack of author information, description, repository, and meaningful metadata suggests pxpure8 is a malicious package intended to load remote code dynamically, posing a supply chain threat to applications that include it.
Potential Impact
Applications that include or bundle pxpure8 version 1.0.2 will execute arbitrary JavaScript controlled by the px8my package owner in their runtime environment. This can lead to compromise of the application's integrity, data leakage, or further malicious activity depending on the code served by px8my. Because the loaded code is unpinned, the risk persists indefinitely and can escalate if px8my publishes malicious updates.
Mitigation Recommendations
No official patch or remediation is currently available. Users should immediately remove pxpure8 version 1.0.2 from their dependencies and avoid including it in any builds or deployments. Since the package dynamically loads untrusted remote code, it should be considered malicious and untrusted. Monitor vendor advisories for any updates or official guidance. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance.
MAL-2026-10105: Malicious code in pxpure8 (npm)
Description
The npm package pxpure8 version 1.0.2 contains malicious code that dynamically loads and executes arbitrary JavaScript from a third-party package px8my via an unpinned URL. This behavior occurs when pxpure8 is imported or required in browser-like environments, causing untrusted code to run in the host application's context. The package has no legitimate metadata or repository, indicating it is a throwaway package designed solely to load remote code. This creates a supply chain risk where any future malicious updates to px8my can be automatically executed by applications bundling pxpure8.
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The pxpure8 npm package (version 1.0.2) includes a main script that injects a <script> element pointing to https://cdn.jsdelivr.net/npm/px8my/px.js without version pinning. This causes arbitrary JavaScript from the unrelated px8my package to execute in the context of any browser-like environment that imports pxpure8. The unpinned dependency allows the px8my package owner to change the executed code at any time, potentially introducing malicious behavior. The lack of author information, description, repository, and meaningful metadata suggests pxpure8 is a malicious package intended to load remote code dynamically, posing a supply chain threat to applications that include it.
Potential Impact
Applications that include or bundle pxpure8 version 1.0.2 will execute arbitrary JavaScript controlled by the px8my package owner in their runtime environment. This can lead to compromise of the application's integrity, data leakage, or further malicious activity depending on the code served by px8my. Because the loaded code is unpinned, the risk persists indefinitely and can escalate if px8my publishes malicious updates.
Mitigation Recommendations
No official patch or remediation is currently available. Users should immediately remove pxpure8 version 1.0.2 from their dependencies and avoid including it in any builds or deployments. Since the package dynamically loads untrusted remote code, it should be considered malicious and untrusted. Monitor vendor advisories for any updates or official guidance. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- MAL-2026-10105
- Osv Schema Version
- 1.7.4
- Aliases
- []
- Ecosystems
- ["npm"]
- Database Specific Severity
- null
- Cvss Version
- null
Threat ID: 6a50ba4168715ace4357e30e
Added to database: 07/10/2026, 09:24:17 UTC
Last enriched: 07/10/2026, 09:34:59 UTC
Last updated: 07/10/2026, 09:34:59 UTC
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.