MAL-2025-49247

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/siren-lament/MAL-2025-49247.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2025-49247
Published
2025-10-29T22:29:06Z
Modified
2025-10-31T02:37:09Z
Summary
Malicious code in siren-lament (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (9f9146581b28381099b9aea208feeb40077658b468ce7897143988b86a5ec23b)

The package siren-lament was found to contain malicious code.

Source: ossf-package-analysis (092c6ea787d7e5e30dda10413bd19dd94ef1007bec6652aa050ecd4e27acbf4f)

The OpenSSF Package Analysis project identified 'siren-lament' @ 2.14.827 (npm) as malicious.

It is considered malicious because:

  • The package executes one or more commands associated with malicious behavior.
Database specific 
{
    "malicious-packages-origins": [
        {
            "import_time": "2025-10-30T23:06:47.506003596Z",
            "sha256": "092c6ea787d7e5e30dda10413bd19dd94ef1007bec6652aa050ecd4e27acbf4f",
            "source": "ossf-package-analysis",
            "modified_time": "2025-10-29T22:41:08Z",
            "versions": [
                "2.14.827"
            ]
        },
        {
            "import_time": "2025-10-30T23:06:47.280235551Z",
            "sha256": "17392eb04e4be8de6edb2a946224a1506007eada7261683e18b908e38e967c83",
            "source": "ossf-package-analysis",
            "modified_time": "2025-10-29T22:29:06Z",
            "versions": [
                "2.14.822"
            ]
        },
        {
            "import_time": "2025-10-30T23:06:47.429806819Z",
            "sha256": "97d32da9c42a9d8228149ee4a7e75538a6bc87b1e34648adf4d1c5337f09476b",
            "source": "ossf-package-analysis",
            "modified_time": "2025-10-29T22:35:59Z",
            "versions": [
                "2.14.824"
            ]
        },
        {
            "ranges": [
                {
                    "type": "SEMVER",
                    "events": [
                        {
                            "introduced": "0"
                        }
                    ]
                }
            ],
            "import_time": "2025-10-31T02:36:38.943854355Z",
            "sha256": "9f9146581b28381099b9aea208feeb40077658b468ce7897143988b86a5ec23b",
            "source": "amazon-inspector",
            "modified_time": "2025-10-31T02:28:48Z"
        }
    ]
}
References
Credits

Affected packages

npm / siren-lament

Package

Name
siren-lament
View open source insights on deps.dev
Purl
pkg:npm/siren-lament

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

2.*
2.14.822
2.14.824
2.14.827

Database specific

source 
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/siren-lament/MAL-2025-49247.json"