MAL-2026-2447

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@toprank/partner/MAL-2026-2447.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-2447
Published
2026-04-03T07:43:43Z
Modified
2026-04-10T01:37:32.033299Z
Summary
Malicious code in @toprank/partner (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (78a6d41a400b329c496f199f979216a151264b95d960a177b3b0347e6b3cf10e)

The package @toprank/partner was found to contain malicious code.

Source: ossf-package-analysis (5758f4b3b20d628c49a22e4eb09f54e9604d6b00fa68dee107701a175d9fa632)

The OpenSSF Package Analysis project identified '@toprank/partner' @ 99.99.11 (npm) as malicious.

It is considered malicious because:

  • The package communicates with a domain associated with malicious activity.
Database specific 
{
    "malicious-packages-origins": [
        {
            "source": "ossf-package-analysis",
            "versions": [
                "99.99.11"
            ],
            "import_time": "2026-04-03T09:49:15.314128549Z",
            "modified_time": "2026-04-03T07:43:43Z",
            "sha256": "5758f4b3b20d628c49a22e4eb09f54e9604d6b00fa68dee107701a175d9fa632"
        },
        {
            "source": "amazon-inspector",
            "versions": [
                "99.99.11"
            ],
            "import_time": "2026-04-07T14:39:24.611593123Z",
            "modified_time": "2026-04-07T14:24:50Z",
            "sha256": "78a6d41a400b329c496f199f979216a151264b95d960a177b3b0347e6b3cf10e"
        }
    ]
}
References
Credits

Affected packages

npm / @toprank/partner

Package

Name
@toprank/partner
View open source insights on deps.dev
Purl
pkg:npm/%40toprank/partner

Affected ranges

Affected versions

99.*
99.99.11
99.99.12
99.99.13

Database specific

source 
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@toprank/partner/MAL-2026-2447.json"