MAL-2026-1093

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/naughty-package/MAL-2026-1093.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-1093

Published

2026-03-01T05:38:31Z

Modified

2026-03-03T07:02:20.401797Z

Summary

Malicious code in naughty-package (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (f541502f67ae3fc0e3558f52fb3e24b3857ab7bae8d0f8b45dc077d4d06ea0f7)

The package naughty-package was found to contain malicious code.

Source: ossf-package-analysis (e32166479d2212b7384d2011adc8496c59347f7af8af2fdae6de9dd13c6f5b0d)

The OpenSSF Package Analysis project identified 'naughty-package' @ 1.0.8 (npm) as malicious.

It is considered malicious because:

The package communicates with a domain associated with malicious activity.
The package executes one or more commands associated with malicious behavior.

Database specific

{
    "malicious-packages-origins": [
        {
            "versions": [
                "1.0.2"
            ],
            "sha256": "0468ae18d44d78c000a973ca7dfb090efc540fc1792b894ee063d4441a306d27",
            "import_time": "2026-03-01T05:49:10.714017155Z",
            "modified_time": "2026-03-01T05:38:31Z",
            "source": "ossf-package-analysis"
        },
        {
            "versions": [
                "1.0.2"
            ],
            "sha256": "f541502f67ae3fc0e3558f52fb3e24b3857ab7bae8d0f8b45dc077d4d06ea0f7",
            "import_time": "2026-03-01T20:41:59.180070915Z",
            "modified_time": "2026-03-01T20:25:57Z",
            "source": "amazon-inspector"
        },
        {
            "versions": [
                "1.0.7"
            ],
            "sha256": "3f2978c5764d97f06a66498d08fcf2247067741751489b580cf6455a81e71c83",
            "import_time": "2026-03-02T21:46:01.051057892Z",
            "modified_time": "2026-03-02T06:25:43Z",
            "source": "ossf-package-analysis"
        },
        {
            "versions": [
                "1.0.5"
            ],
            "sha256": "5aceae5939d76701462dc3f742b492456510e7ff96510671e83e8de93850ab10",
            "import_time": "2026-03-02T21:46:00.949989105Z",
            "modified_time": "2026-03-02T06:20:32Z",
            "source": "ossf-package-analysis"
        },
        {
            "versions": [
                "1.0.8"
            ],
            "sha256": "e32166479d2212b7384d2011adc8496c59347f7af8af2fdae6de9dd13c6f5b0d",
            "import_time": "2026-03-03T06:48:47.371428858Z",
            "modified_time": "2026-03-03T06:31:03Z",
            "source": "ossf-package-analysis"
        }
    ]
}

References

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com
- OpenSSF: Package Analysis - FINDER
- - https://github.com/ossf/package-analysis
  - https://openssf.slack.com/channels/package_analysis

Affected packages

npm / naughty-package

Package

Name: naughty-package; View open source insights on deps.dev
Purl: pkg:npm/naughty-package

Affected ranges

Affected versions

1.*

1.0.2

1.0.5

1.0.7

1.0.8

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/naughty-package/MAL-2026-1093.json"