MAL-2025-48547

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/stopme/MAL-2025-48547.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2025-48547
Published
2025-10-21T19:20:58Z
Modified
2025-10-28T05:38:19Z
Summary
Malicious code in stopme (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: ossf-package-analysis (0c64e2664020a21b1ba2591990d854c1b1f8e37b00d8e6bc91f1e8703d5f9416)

The OpenSSF Package Analysis project identified 'stopme' @ 17.0.0 (npm) as malicious.

It is considered malicious because:

  • The package communicates with a domain associated with malicious activity.

  • The package executes one or more commands associated with malicious behavior.

Database specific 
{
    "malicious-packages-origins": [
        {
            "modified_time": "2025-10-21T19:50:49Z",
            "versions": [
                "17.0.0"
            ],
            "sha256": "0c64e2664020a21b1ba2591990d854c1b1f8e37b00d8e6bc91f1e8703d5f9416",
            "source": "ossf-package-analysis",
            "import_time": "2025-10-21T20:06:51.284892995Z"
        },
        {
            "modified_time": "2025-10-21T20:05:38Z",
            "versions": [
                "20.0.0"
            ],
            "sha256": "62137c51f3fbcb2c3257fe8127d5a2fa85e1b0e32618e57d33073f52d3da2946",
            "source": "ossf-package-analysis",
            "import_time": "2025-10-21T20:06:51.393454011Z"
        },
        {
            "modified_time": "2025-10-21T20:13:22Z",
            "versions": [
                "22.0.0"
            ],
            "sha256": "69a28f1ddb08b80d21ecb69c36be414f2e7693786c05bc107aafa73101a30378",
            "source": "ossf-package-analysis",
            "import_time": "2025-10-21T20:37:57.121405456Z"
        },
        {
            "modified_time": "2025-10-21T20:25:52Z",
            "versions": [
                "25.0.0"
            ],
            "sha256": "99d239c5a6b86610d66504cb83831bb0a8e5799935e89660dff8bc18b72622da",
            "source": "ossf-package-analysis",
            "import_time": "2025-10-21T20:37:57.519158464Z"
        },
        {
            "modified_time": "2025-10-21T20:20:51Z",
            "versions": [
                "24.0.0"
            ],
            "sha256": "b4cb04c80ff9df86a891f824f3bf736a7681eb0ff5b5d5233e3b66781021e413",
            "source": "ossf-package-analysis",
            "import_time": "2025-10-21T20:37:57.392177846Z"
        },
        {
            "modified_time": "2025-10-21T20:17:19Z",
            "versions": [
                "23.0.0"
            ],
            "sha256": "eb59778df02065be786dd7a8e58d169d69b63472b8d854e0b8e726179fb033aa",
            "source": "ossf-package-analysis",
            "import_time": "2025-10-21T20:37:57.255290344Z"
        },
        {
            "modified_time": "2025-10-21T19:20:58Z",
            "versions": [
                "12.0.0"
            ],
            "sha256": "a43c0b1f4fc4edfe6457c12c1a5fd54879973c068af90ef655b067c7f66aef60",
            "source": "ossf-package-analysis",
            "import_time": "2025-10-28T05:37:46.594011855Z"
        },
        {
            "modified_time": "2025-10-21T19:37:11Z",
            "versions": [
                "15.0.0"
            ],
            "sha256": "b6e700e8568b750ea2d3247a615ed34f31be4c61173f67b9150dc0deda3ca33c",
            "source": "ossf-package-analysis",
            "import_time": "2025-10-28T05:37:46.722396785Z"
        }
    ]
}
References
Credits

Affected packages

npm / stopme

Package

Name
stopme
View open source insights on deps.dev
Purl
pkg:npm/stopme

Affected ranges

Affected versions

11.*
11.0.0
12.*
12.0.0
15.*
15.0.0
16.*
16.0.0
17.*
17.0.0
18.*
18.0.0
20.*
20.0.0
21.*
21.0.0
22.*
22.0.0
23.*
23.0.0
24.*
24.0.0
25.*
25.0.0

Database specific

source 
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/stopme/MAL-2025-48547.json"