MAL-2026-1494

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/navi-design-system/MAL-2026-1494.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-1494

Published

2026-03-17T06:15:39Z

Modified

2026-03-23T05:44:17.305767Z

Summary

Malicious code in navi-design-system (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (7d7c20b1a93d0713a7cd64e5937906dc8db43fe90795827cedac30fc64031c68)

The package navi-design-system was found to contain malicious code.

Source: ossf-package-analysis (456529de586987eca70b76fe07da6ed022e7bb8dfaf9d36a47db75809cdc3b49)

The OpenSSF Package Analysis project identified 'navi-design-system' @ 99.0.0 (npm) as malicious.

It is considered malicious because:

The package communicates with a domain associated with malicious activity.

Database specific

{
    "malicious-packages-origins": [
        {
            "source": "ossf-package-analysis",
            "versions": [
                "7.0.0"
            ],
            "import_time": "2026-03-17T06:28:32.036701769Z",
            "modified_time": "2026-03-17T06:15:39Z",
            "sha256": "1b246a64e8aa9a9d379cb47a0dea39ba7a7262de32e0e30954ea3e8b784d6228"
        },
        {
            "source": "ossf-package-analysis",
            "versions": [
                "99.0.0"
            ],
            "import_time": "2026-03-17T06:28:32.109680552Z",
            "modified_time": "2026-03-17T06:21:02Z",
            "sha256": "456529de586987eca70b76fe07da6ed022e7bb8dfaf9d36a47db75809cdc3b49"
        },
        {
            "source": "ossf-package-analysis",
            "versions": [
                "99.1.0"
            ],
            "import_time": "2026-03-17T06:53:16.40490058Z",
            "modified_time": "2026-03-17T06:40:47Z",
            "sha256": "ab6d142ced2d17d8d89719361fc372158ef8a06428aac08d06e1ad6949463aa3"
        },
        {
            "source": "amazon-inspector",
            "versions": [
                "7.0.0",
                "99.0.0",
                "99.1.0"
            ],
            "import_time": "2026-03-23T05:14:21.992432505Z",
            "modified_time": "2026-03-23T05:11:41Z",
            "sha256": "7d7c20b1a93d0713a7cd64e5937906dc8db43fe90795827cedac30fc64031c68"
        }
    ]
}

References

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com
- OpenSSF: Package Analysis - FINDER
- - https://github.com/ossf/package-analysis
  - https://openssf.slack.com/channels/package_analysis

Affected packages

npm / navi-design-system

Package

Name: navi-design-system; View open source insights on deps.dev
Purl: pkg:npm/navi-design-system

Affected ranges

Affected versions

7.*

7.0.0

99.*

99.0.0

99.1.0

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/navi-design-system/MAL-2026-1494.json"