MAL-2025-191993

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/elf-stats-bright-cushion-246/MAL-2025-191993.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2025-191993
Published
2025-12-03T12:20:47Z
Modified
2025-12-23T16:52:09.003475Z
Summary
Malicious code in elf-stats-bright-cushion-246 (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (aca57c2ad5fce68eb2f8811ff4330fb699eb2646befd3fd0b18a0877b24324a8)

The package elf-stats-bright-cushion-246 was found to contain malicious code.

Source: ossf-package-analysis (446c7e3631e89c06ddcc0f49de9bb6b839051330d04e0335f6e7d54bd70ed0b1)

The OpenSSF Package Analysis project identified 'elf-stats-bright-cushion-246' @ 5.0.0 (npm) as malicious.

It is considered malicious because:

  • The package executes one or more commands associated with malicious behavior.
Database specific
{
    "malicious-packages-origins": [
        {
            "modified_time": "2025-12-03T15:59:29Z",
            "versions": [
                "2.1.0",
                "2.2.0",
                "4.0.0",
                "3.0.0"
            ],
            "sha256": "aca57c2ad5fce68eb2f8811ff4330fb699eb2646befd3fd0b18a0877b24324a8",
            "import_time": "2025-12-03T16:09:45.522386746Z",
            "source": "amazon-inspector"
        },
        {
            "modified_time": "2025-12-03T17:22:10Z",
            "versions": [
                "5.0.0"
            ],
            "sha256": "6271cf2d0ffe9eff65187958e48e2a08a8edfb3f149f5d88c295ccaa45b1691f",
            "import_time": "2025-12-03T17:40:21.111397784Z",
            "source": "amazon-inspector"
        },
        {
            "modified_time": "2025-12-03T12:20:47Z",
            "versions": [
                "5.0.0"
            ],
            "sha256": "446c7e3631e89c06ddcc0f49de9bb6b839051330d04e0335f6e7d54bd70ed0b1",
            "import_time": "2025-12-04T00:27:05.132487112Z",
            "source": "ossf-package-analysis"
        },
        {
            "modified_time": "2025-12-23T08:06:05Z",
            "versions": [
                "2.1.0"
            ],
            "sha256": "f5e01ce2495fd551dced7b8cbc55c19dd2f7eafa55187fa7a988f6c6bbac7862",
            "id": "RLMA-2025-06124",
            "source": "reversing-labs",
            "import_time": "2025-12-23T16:42:57.753923429Z"
        }
    ]
}
References
Credits

Affected packages

npm / elf-stats-bright-cushion-246

Package

Name
elf-stats-bright-cushion-246
View open source insights on deps.dev
Purl
pkg:npm/elf-stats-bright-cushion-246

Affected ranges

Affected versions

2.*
2.1.0
2.2.0
3.*
3.0.0
4.*
4.0.0
5.*
5.0.0

Database specific

source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/elf-stats-bright-cushion-246/MAL-2025-191993.json"