MAL-2025-5249

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/nstmrt-stf-api/MAL-2025-5249.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2025-5249

Published

2025-06-25T06:50:40Z

Modified

2025-06-25T11:06:06Z

Summary

Malicious code in nstmrt-stf-api (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: ossf-package-analysis (0da052c315a64ad23ddcebd853a91fc2f81597d0cd587326b5f7554911cc9d73)

The OpenSSF Package Analysis project identified 'nstmrt-stf-api' @ 1.0.10 (npm) as malicious.

It is considered malicious because:

The package communicates with a domain associated with malicious activity.
The package executes one or more commands associated with malicious behavior.

Database specific

{
    "malicious-packages-origins": [
        {
            "modified_time": "2025-06-25T06:55:36Z",
            "versions": [
                "1.0.4"
            ],
            "sha256": "4eae18e33d6846a98b7a18d6c8ee414cdd48d428e3a07d96c8d26146d0c8c4e3",
            "source": "ossf-package-analysis",
            "import_time": "2025-06-25T07:06:39.552385073Z"
        },
        {
            "modified_time": "2025-06-25T06:50:40Z",
            "versions": [
                "1.0.2"
            ],
            "sha256": "acd5c568fbddcb6dca4f02d83465f59af8ac27c64818ac44aa1044e06be1e496",
            "source": "ossf-package-analysis",
            "import_time": "2025-06-25T07:06:39.476284985Z"
        },
        {
            "modified_time": "2025-06-25T07:00:59Z",
            "versions": [
                "1.0.5"
            ],
            "sha256": "ce5f5094cff990f3b5d3d06e06d90210851478314546638a3f9de1c7b083a45a",
            "source": "ossf-package-analysis",
            "import_time": "2025-06-25T07:06:39.6168634Z"
        },
        {
            "modified_time": "2025-06-25T07:22:42Z",
            "versions": [
                "1.0.7"
            ],
            "sha256": "c3464a00c60398b4df74a3f728620dfa8865bf7f9c052c4930e756bcb250eaa9",
            "source": "ossf-package-analysis",
            "import_time": "2025-06-25T07:36:08.017264735Z"
        },
        {
            "modified_time": "2025-06-25T10:40:52Z",
            "versions": [
                "1.0.10"
            ],
            "sha256": "0da052c315a64ad23ddcebd853a91fc2f81597d0cd587326b5f7554911cc9d73",
            "source": "ossf-package-analysis",
            "import_time": "2025-06-25T11:05:34.033853137Z"
        },
        {
            "modified_time": "2025-06-25T10:46:01Z",
            "versions": [
                "1.0.11"
            ],
            "sha256": "510379bc3b9478a5743a70e95c73bd9ceb20a021d98f5c503a7630290f574875",
            "source": "ossf-package-analysis",
            "import_time": "2025-06-25T11:05:34.135905622Z"
        },
        {
            "modified_time": "2025-06-25T10:51:28Z",
            "versions": [
                "1.0.12"
            ],
            "sha256": "ef385cb9276f71304b089fddd9d05b60237724a5e5fdeea3398059ef20ad6602",
            "source": "ossf-package-analysis",
            "import_time": "2025-06-25T11:05:34.260818318Z"
        }
    ]
}

References

Credits

- OpenSSF: Package Analysis - FINDER
- - https://github.com/ossf/package-analysis
  - https://openssf.slack.com/channels/package_analysis

Affected packages

npm / nstmrt-stf-api

Package

Name: nstmrt-stf-api; View open source insights on deps.dev
Purl: pkg:npm/nstmrt-stf-api

Affected ranges

Affected versions

1.*

1.0.2

1.0.4

1.0.5

1.0.7

1.0.10

1.0.11

1.0.12

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/nstmrt-stf-api/MAL-2025-5249.json"