The package was compromised and malicious code added.
-= Per source details. Do not edit below this line.=-
This package was compromised by the Shai-Hulud NPM worm. The malicious payload steals tokens and credentials and publishes them to GitHub before propogating itself to NPM packages the user owns.
{
"malicious-packages-origins": [
{
"versions": [
"7.2.75",
"7.2.74",
"7.2.73",
"7.2.72"
],
"sha256": "98bc88d841f7cc3ff226e714214d8710303b66e19159e2672746eedc0d7a5c0e",
"modified_time": "2025-09-17T05:58:45Z",
"source": "google-open-source-security",
"import_time": "2025-09-17T05:59:34.616902Z"
}
]
}"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@nativescript-community/ui-material-ripple/MAL-2025-47390.json"
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]