MAL-2025-192378

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/shop-api-sdk/MAL-2025-192378.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2025-192378
Published
2025-12-08T19:09:22Z
Modified
2025-12-11T09:51:08.701583Z
Summary
Malicious code in shop-api-sdk (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (a0306448f7e93f12777f1ee6bfa83d502c06b0a61ae631c612fabd3f8a5d6021)

The package shop-api-sdk was found to contain malicious code.

Source: ossf-package-analysis (55244eb11c1f0ccb519ddea9ad901abde196c9cd9387c8a4eb3267df5fcff846)

The OpenSSF Package Analysis project identified 'shop-api-sdk' @ 30.1.1 (npm) as malicious.

It is considered malicious because:

  • The package communicates with a domain associated with malicious activity.

  • The package executes one or more commands associated with malicious behavior.

Database specific
{
    "malicious-packages-origins": [
        {
            "versions": [
                "30.1.1"
            ],
            "sha256": "55244eb11c1f0ccb519ddea9ad901abde196c9cd9387c8a4eb3267df5fcff846",
            "modified_time": "2025-12-08T19:09:22Z",
            "source": "ossf-package-analysis",
            "import_time": "2025-12-08T19:35:16.259623261Z"
        },
        {
            "versions": [
                "30.1.1"
            ],
            "sha256": "a0306448f7e93f12777f1ee6bfa83d502c06b0a61ae631c612fabd3f8a5d6021",
            "modified_time": "2025-12-10T21:03:50Z",
            "source": "amazon-inspector",
            "import_time": "2025-12-10T21:07:48.944030168Z"
        },
        {
            "versions": [
                "30.0.0"
            ],
            "sha256": "9df88087925552afbc95cc8c1ff4512887367255636165d692095bf3bbec52c5",
            "modified_time": "2025-12-11T01:47:51Z",
            "source": "amazon-inspector",
            "import_time": "2025-12-11T02:41:24.57305401Z"
        }
    ]
}
References
Credits

Affected packages

npm / shop-api-sdk

Package

Affected ranges

Affected versions

30.*
30.0.0
30.1.1

Database specific

source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/shop-api-sdk/MAL-2025-192378.json"