MAL-2025-42486

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@eooce/sbx/MAL-2025-42486.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2025-42486
Published
2025-08-12T19:51:34Z
Modified
2025-09-08T04:38:55Z
Summary
Malicious code in @eooce/sbx (npm)
Details

The package @eooce/sbx was found to contain malicious code.

-= Per source details. Do not edit below this line.=-

Source: ossf-package-analysis (0c3f68a08af76f3c5412daa2b25a618ab31f5541ee496dec1392afedcf86ec33)

The OpenSSF Package Analysis project identified '@eooce/sbx' @ 2.0.7 (npm) as malicious.

It is considered malicious because:

  • The package executes one or more commands associated with malicious behavior.
Database specific 
{
    "malicious-packages-origins": [
        {
            "modified_time": "2025-08-23T17:41:21Z",
            "versions": [
                "2.0.7"
            ],
            "sha256": "0c3f68a08af76f3c5412daa2b25a618ab31f5541ee496dec1392afedcf86ec33",
            "source": "ossf-package-analysis",
            "import_time": "2025-09-08T03:43:50.270058725Z"
        },
        {
            "modified_time": "2025-08-16T11:12:30Z",
            "versions": [
                "2.0.1"
            ],
            "sha256": "4bb82c00eb02fcd04c06cb76e8dae54522e79bc2f16f87bf03068e633b890859",
            "source": "ossf-package-analysis",
            "import_time": "2025-09-08T03:43:50.071168045Z"
        },
        {
            "modified_time": "2025-08-12T19:56:23Z",
            "versions": [
                "1.0.1"
            ],
            "sha256": "5f25ffb6684a1daabb8bf7506196546219b374a765f2eee49268daf500314255",
            "source": "ossf-package-analysis",
            "import_time": "2025-09-08T03:43:49.819634449Z"
        },
        {
            "modified_time": "2025-08-16T11:10:39Z",
            "versions": [
                "2.0.0"
            ],
            "sha256": "74b2386df1e09efe1381778ed61a4e3b442d5d024d125b6408f0b989a62b40bc",
            "source": "ossf-package-analysis",
            "import_time": "2025-09-08T03:43:49.960011553Z"
        },
        {
            "modified_time": "2025-08-16T10:33:27Z",
            "versions": [
                "1.0.3"
            ],
            "sha256": "85d05f8bb6d70096cf81ab0a2a2ac3927a6281266d1d262640d84ae139f62231",
            "source": "ossf-package-analysis",
            "import_time": "2025-09-08T03:43:49.893646419Z"
        },
        {
            "modified_time": "2025-08-23T18:34:54Z",
            "versions": [
                "2.0.8"
            ],
            "sha256": "9a742d079042182542d4b0eeebdadf590d8be2c7519dea2e11ac2a22df0a3b3a",
            "source": "ossf-package-analysis",
            "import_time": "2025-09-08T03:43:50.376290012Z"
        },
        {
            "modified_time": "2025-08-18T12:01:32Z",
            "versions": [
                "2.0.6"
            ],
            "sha256": "b3f8434bafb02c9ee4bcb5f721b58588fea0bd42494b28a8dcc04e7878f6a202",
            "source": "ossf-package-analysis",
            "import_time": "2025-09-08T03:43:50.169845049Z"
        },
        {
            "modified_time": "2025-08-12T19:51:34Z",
            "versions": [
                "1.0.0"
            ],
            "sha256": "36c4eb81cc1cd7cc2b0876ba21a13392a01f9dd4b8097073045e368b3d531a5f",
            "source": "ossf-package-analysis",
            "import_time": "2025-09-08T04:38:17.849607655Z"
        }
    ]
}
References
Credits

Affected packages

npm / @eooce/sbx

Package

Name
@eooce/sbx
View open source insights on deps.dev
Purl
pkg:npm/%40eooce/sbx

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*
1.0.0
1.0.1
1.0.3
2.*
2.0.0
2.0.1
2.0.6
2.0.7
2.0.8

Database specific

source 
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@eooce/sbx/MAL-2025-42486.json"