npm · Malicious package advisory
Malwaremuaddib-scanner
MAL-2026-4616
Malicious code in muaddib-scanner (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (c8eea5d3ed390c4c82b5bfa89ac220f1d424fcaebe70fe71bbbe3bce66f0f48f) package.json declares `"loadash": "^1.0.0"` as a runtime dependency. `loadash` is a well-known typosquat of `lodash` and is never required or imported anywhere in this package's source — the dependency is unused by the scanner itself. Every installer of this package pulls `loadash@^1.0.0` into their node_modules transitively, executing whatever code that namesquat ships. The remaining static signals on this package (curl/ping/POST/child_process/https patterns across `src/scanner/`, `src/ioc/`, `src/rules/`, `src/ml/`, `src/sandbox/`) are consistent with the package's stated purpose (a supply-chain security scanner that inspects other packages' lifecycle scripts, fetches package metadata from `registry.npmjs.org`, and analyzes IOC patterns like `curl http://evil.com` as data); literal strings like `curl http://evil.com` and `$(whoami)` appear as detection rule examples, not as executed commands. The block is on the namespace-abuse vector — a security tool has no legitimate reason to ship an unused typosquat dependency, and installers should not silently acquire it.
Compromised versions (1)
- 2.11.41
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.