lessload version 1.0.1 is a malicious npm package designed to impersonate the legitimate debug package by replicating its API, contributor list, and description. It embeds a backdoor in the exported enable() function located in src/common.js. When enable(namespaces) is invoked, the package sends an HTTPS request to https://fundraiser-success.vercel.app/api/debugCheck?id=<namespaces>, leaking the namespaces argument to the attacker. The response contains a base64-encoded message that is decoded and executed via new Function('require', decoded)(require), granting the attacker arbitrary code execution with full require access inside the consumer's Node.js process. The malicious code is hidden behind comments claiming it is for debugging purposes, making it appear legitimate. This backdoor activates on the first call to enable(), affecting any consumer expecting debug package behavior.

An attacker controlling the remote endpoint can execute arbitrary code within the Node.js process of any application that installs and calls enable() on [email protected]. This includes full access to require modules, potentially leading to complete compromise of the host environment. Additionally, the attacker receives leaked data from the caller, which may include sensitive namespace information.

No official patch or fix is currently available for [email protected]. Users should avoid installing or using this package. Replace any usage of lessload with the legitimate debug package or verified alternatives. Conduct audits of dependencies to detect and remove this malicious package. Monitor package sources carefully to prevent supply chain compromise. Patch status is not yet confirmed — check vendor advisories or trusted sources for updates.