Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

MAL-2026-10105: Malicious code in pxpure8 (npm)

0
High
Published: 07/09/2026 (07/09/2026, 23:09:27 UTC)
Source: GCVE Database
Product: pxpure8

Description

The npm package pxpure8 version 1.0.2 contains malicious code that dynamically loads and executes arbitrary JavaScript from a third-party package px8my via an unpinned URL. This behavior occurs when pxpure8 is imported or required in browser-like environments, causing untrusted code to run in the host application's context. The package has no legitimate metadata or repository, indicating it is a throwaway package designed solely to load remote code. This creates a supply chain risk where any future malicious updates to px8my can be automatically executed by applications bundling pxpure8.

Affected software

npmghsa
pxpure8
Affected versions
=1.0.2

Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 07/10/2026, 09:34:59 UTC

Technical Analysis

The pxpure8 npm package (version 1.0.2) includes a main script that injects a <script> element pointing to https://cdn.jsdelivr.net/npm/px8my/px.js without version pinning. This causes arbitrary JavaScript from the unrelated px8my package to execute in the context of any browser-like environment that imports pxpure8. The unpinned dependency allows the px8my package owner to change the executed code at any time, potentially introducing malicious behavior. The lack of author information, description, repository, and meaningful metadata suggests pxpure8 is a malicious package intended to load remote code dynamically, posing a supply chain threat to applications that include it.

Potential Impact

Applications that include or bundle pxpure8 version 1.0.2 will execute arbitrary JavaScript controlled by the px8my package owner in their runtime environment. This can lead to compromise of the application's integrity, data leakage, or further malicious activity depending on the code served by px8my. Because the loaded code is unpinned, the risk persists indefinitely and can escalate if px8my publishes malicious updates.

Mitigation Recommendations

No official patch or remediation is currently available. Users should immediately remove pxpure8 version 1.0.2 from their dependencies and avoid including it in any builds or deployments. Since the package dynamically loads untrusted remote code, it should be considered malicious and untrusted. Monitor vendor advisories for any updates or official guidance. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Gcve Source
db.gcve.eu
Osv Id
MAL-2026-10105
Osv Schema Version
1.7.4
Aliases
[]
Ecosystems
["npm"]
Database Specific Severity
null
Cvss Version
null

Threat ID: 6a50ba4168715ace4357e30e

Added to database: 07/10/2026, 09:24:17 UTC

Last enriched: 07/10/2026, 09:34:59 UTC

Last updated: 07/10/2026, 09:34:59 UTC

Views: 3

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses