MAL-2026-1583

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/whatnot-web/MAL-2026-1583.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-1583
Published
2026-03-19T08:24:28Z
Modified
2026-03-23T05:35:23.495200Z
Summary
Malicious code in whatnot-web (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (4e7124b844cb92c573d57e94d1060a58445a82d03984c430e1632807fda9d227)

The package whatnot-web was found to contain malicious code.

Source: ossf-package-analysis (6e4b52e600b6b37ce05a8127ddcabb58fc003b16c47afeec65118f1cb70008b8)

The OpenSSF Package Analysis project identified 'whatnot-web' @ 99.0.4 (npm) as malicious.

It is considered malicious because:

  • The package communicates with a domain associated with malicious activity.
Database specific 
{
    "malicious-packages-origins": [
        {
            "source": "ossf-package-analysis",
            "versions": [
                "99.0.4"
            ],
            "import_time": "2026-03-19T08:47:47.942074009Z",
            "modified_time": "2026-03-19T08:24:28Z",
            "sha256": "6e4b52e600b6b37ce05a8127ddcabb58fc003b16c47afeec65118f1cb70008b8"
        },
        {
            "source": "amazon-inspector",
            "versions": [
                "99.0.4"
            ],
            "import_time": "2026-03-23T05:14:01.077146564Z",
            "modified_time": "2026-03-23T05:11:41Z",
            "sha256": "4e7124b844cb92c573d57e94d1060a58445a82d03984c430e1632807fda9d227"
        }
    ]
}
References
Credits

Affected packages

npm / whatnot-web

Package

Name
whatnot-web
View open source insights on deps.dev
Purl
pkg:npm/whatnot-web

Affected ranges

Affected versions

99.*
99.0.4

Database specific

source 
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/whatnot-web/MAL-2026-1583.json"