MAL-2025-22

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@vf-org/smapi-js-core/MAL-2025-22.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2025-22
Published
2025-01-06T14:50:50Z
Modified
2025-01-08T23:05:52Z
Summary
Malicious code in @vf-org/smapi-js-core (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: ossf-package-analysis (bb778953ccadf1ddd3d3249677a4b7c27133ddd85d451ebe6cf0e04611264b86)

The OpenSSF Package Analysis project identified '@vf-org/smapi-js-core' @ 8.2.10 (npm) as malicious.

It is considered malicious because:

  • The package communicates with a domain associated with malicious activity.

  • The package executes one or more commands associated with malicious behavior.

Database specific
{
    "malicious-packages-origins": [
        {
            "import_time": "2025-01-06T15:05:37.941040121Z",
            "source": "ossf-package-analysis",
            "modified_time": "2025-01-06T14:50:50Z",
            "versions": [
                "8.2.0"
            ],
            "sha256": "4d12d4e4388bdfd37673aa9e4527d481312b56703325b9cc938f22cac268f25e"
        },
        {
            "import_time": "2025-01-08T16:06:28.521128934Z",
            "source": "ossf-package-analysis",
            "modified_time": "2025-01-08T16:06:15Z",
            "versions": [
                "8.2.8"
            ],
            "sha256": "c65a9bdbdc937bde66ed0fc1af5eacb32463d2b5b5ff062fb3c27be47ba9fe03"
        },
        {
            "import_time": "2025-01-08T17:34:55.668590305Z",
            "source": "ossf-package-analysis",
            "modified_time": "2025-01-08T17:10:46Z",
            "versions": [
                "8.2.9"
            ],
            "sha256": "a44e7fb0287f1237c5151a7ad602c96a4a732a7278f5177c6e8421243bfa726a"
        },
        {
            "import_time": "2025-01-08T17:34:55.8391035Z",
            "source": "ossf-package-analysis",
            "modified_time": "2025-01-08T17:15:47Z",
            "versions": [
                "8.2.10"
            ],
            "sha256": "bb778953ccadf1ddd3d3249677a4b7c27133ddd85d451ebe6cf0e04611264b86"
        },
        {
            "import_time": "2025-01-08T22:05:22.087692782Z",
            "source": "ossf-package-analysis",
            "modified_time": "2025-01-08T22:00:44Z",
            "versions": [
                "8.2.13"
            ],
            "sha256": "f92ac367260d9d488415ebd75540c852fe7fdae91818afa533b1340f7ac473cf"
        },
        {
            "import_time": "2025-01-08T22:35:42.201873457Z",
            "source": "ossf-package-analysis",
            "modified_time": "2025-01-08T22:26:02Z",
            "versions": [
                "8.2.18"
            ],
            "sha256": "688b6adf5117395c9f5d438ab7efdfe6fc8a35786f16b70d41ddd8452298d70d"
        },
        {
            "import_time": "2025-01-08T22:35:41.937936967Z",
            "source": "ossf-package-analysis",
            "modified_time": "2025-01-08T22:05:49Z",
            "versions": [
                "8.2.15"
            ],
            "sha256": "7eab984c371377d5191c91107044ee8c6d3573e3e736888627b48b4e9e0bc90a"
        },
        {
            "import_time": "2025-01-08T22:35:42.11336383Z",
            "source": "ossf-package-analysis",
            "modified_time": "2025-01-08T22:23:28Z",
            "versions": [
                "8.2.17"
            ],
            "sha256": "e08adcf62823628b349e8dd36a3e771d9bc804d5829d37a2a90d4fc97bdd8086"
        },
        {
            "import_time": "2025-01-08T22:35:42.02666966Z",
            "source": "ossf-package-analysis",
            "modified_time": "2025-01-08T22:22:45Z",
            "versions": [
                "8.2.16"
            ],
            "sha256": "e4fdda522c1ce47b32dc8df171d8ec813f07f999827664852ebd81a2add8888a"
        },
        {
            "import_time": "2025-01-08T23:05:22.49968974Z",
            "source": "ossf-package-analysis",
            "modified_time": "2025-01-08T22:48:32Z",
            "versions": [
                "8.2.19"
            ],
            "sha256": "3c13b97f402fc103044043dbabae1771d17095c19f85e89fa6844e83bba088dd"
        }
    ]
}
References
Credits

Affected packages

npm / @vf-org/smapi-js-core

Package

Name
@vf-org/smapi-js-core
View open source insights on deps.dev
Purl
pkg:npm/%40vf-org/smapi-js-core

Affected ranges

Affected versions

8.*

8.2.0
8.2.8
8.2.9
8.2.10
8.2.13
8.2.15
8.2.16
8.2.17
8.2.18
8.2.19