MAL-2026-3185

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@saif777/codemirror5/MAL-2026-3185.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-3185
Published
2026-04-29T18:36:33Z
Modified
2026-04-30T23:08:31.394098Z
Summary
Malicious code in @saif777/codemirror5 (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (d8c90f2fd5697c867e9bb88102c93cf144662dcee32b95e0ad2a27061c867c65)

The package @saif777/codemirror5 was found to contain malicious code.

Source: ossf-package-analysis (05a16b6c187f8c3c5ab4c2c62627e75d9f8d14d28d265854e57ba1cb33bb7f3b)

The OpenSSF Package Analysis project identified '@saif777/codemirror5' @ 7.66.5 (npm) as malicious.

It is considered malicious because:

  • The package communicates with a domain associated with malicious activity.
Database specific 
{
    "malicious-packages-origins": [
        {
            "import_time": "2026-04-29T23:23:38.182574258Z",
            "source": "ossf-package-analysis",
            "versions": [
                "7.66.5"
            ],
            "modified_time": "2026-04-29T18:36:33Z",
            "sha256": "05a16b6c187f8c3c5ab4c2c62627e75d9f8d14d28d265854e57ba1cb33bb7f3b"
        },
        {
            "import_time": "2026-04-30T22:23:10.172971864Z",
            "source": "amazon-inspector",
            "versions": [
                "7.66.5"
            ],
            "modified_time": "2026-04-30T21:59:18Z",
            "sha256": "d8c90f2fd5697c867e9bb88102c93cf144662dcee32b95e0ad2a27061c867c65"
        }
    ]
}
References
Credits

Affected packages

npm / @saif777/codemirror5

Package

Name
@saif777/codemirror5
View open source insights on deps.dev
Purl
pkg:npm/%40saif777/codemirror5

Affected ranges

Affected versions

7.*
7.66.5

Database specific

source 
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@saif777/codemirror5/MAL-2026-3185.json"