MAL-2025-41263

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/sdp-transform-parser/MAL-2025-41263.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2025-41263
Published
2025-08-21T18:55:55Z
Modified
2025-09-26T11:06:45Z
Summary
Malicious code in sdp-transform-parser (npm)
Details

The package communicates with a domain associated with malicious activity.


-= Per source details. Do not edit below this line.=-

Source: ossf-package-analysis (d6f0bf5deb53b6f1424914462ad86d16738a1118a744d709e3e37abaf8907134)

The OpenSSF Package Analysis project identified 'sdp-transform-parser' @ 99.99.100 (npm) as malicious.

It is considered malicious because:

  • The package communicates with a domain associated with malicious activity.

  • The package executes one or more commands associated with malicious behavior.

Database specific
{
    "malicious-packages-origins": [
        {
            "sha256": "d6f0bf5deb53b6f1424914462ad86d16738a1118a744d709e3e37abaf8907134",
            "source": "ossf-package-analysis",
            "import_time": "2025-08-22T02:34:57.297714407Z",
            "modified_time": "2025-08-22T01:55:52Z",
            "versions": [
                "99.99.100"
            ]
        },
        {
            "sha256": "438899bb3957f0a67048b52b32607a1e4e8a954434c0e5482b4a30e336e09641",
            "source": "ossf-package-analysis",
            "import_time": "2025-08-23T05:35:59.404069188Z",
            "modified_time": "2025-08-23T05:35:43Z",
            "versions": [
                "9999.0.2"
            ]
        },
        {
            "sha256": "ac6c9f7bd8d683d0ac227cc4cc38fce0cfb726fb6f69577f49e26ba282dfbbb1",
            "source": "ossf-package-analysis",
            "import_time": "2025-08-23T05:35:59.152643163Z",
            "modified_time": "2025-08-23T05:10:45Z",
            "versions": [
                "9999.0.0"
            ]
        },
        {
            "sha256": "bdbadf924620c79652d50ccedd3ddbc5f1a6dbe501c03f5dc79697404147ba08",
            "source": "ossf-package-analysis",
            "import_time": "2025-08-23T05:35:59.280936963Z",
            "modified_time": "2025-08-23T05:30:38Z",
            "versions": [
                "9999.0.1"
            ]
        },
        {
            "sha256": "661e3decfcbcead3d43fa8a310a39e36907cd561dcbab79724141d6369ead777",
            "id": "RLMA-2025-05148",
            "source": "reversing-labs",
            "import_time": "2025-09-26T11:06:03.471102247Z",
            "modified_time": "2025-09-26T09:43:19Z",
            "versions": [
                "99.99.99",
                "99.99.100",
                "9999.0.0",
                "9999.0.1",
                "9999.0.2"
            ]
        }
    ]
}
References
Credits

Affected packages

npm / sdp-transform-parser

Package

Name
sdp-transform-parser
View open source insights on deps.dev
Purl
pkg:npm/sdp-transform-parser

Affected ranges

Type
SEMVER
Events
Introduced
99.99.99

Affected versions

99.*
99.99.99
99.99.100
9999.*
9999.0.0
9999.0.1
9999.0.2

Database specific

source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/sdp-transform-parser/MAL-2025-41263.json"