MAL-2026-3249

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/internal-company-module-test-1337/MAL-2026-3249.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-3249

Published

2026-05-03T15:33:36Z

Modified

2026-05-12T07:57:11.773040Z

Summary

Malicious code in internal-company-module-test-1337 (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (ffa107cadda6301a772af8727ebafd976365c28371cddd211c176a57b12715d9)

The package internal-company-module-test-1337 was found to contain malicious code.

Source: ossf-package-analysis (07c2475e90b699654b9aa4a19c5ca0592001681d7a28996dc02ff7c31faf7343)

The OpenSSF Package Analysis project identified 'internal-company-module-test-1337' @ 99.99.9994 (npm) as malicious.

It is considered malicious because:

The package communicates with a domain associated with malicious activity.

Database specific

{
    "malicious-packages-origins": [
        {
            "import_time": "2026-05-03T15:48:41.008844096Z",
            "sha256": "07c2475e90b699654b9aa4a19c5ca0592001681d7a28996dc02ff7c31faf7343",
            "source": "ossf-package-analysis",
            "modified_time": "2026-05-03T15:33:36Z",
            "versions": [
                "99.99.9994"
            ]
        },
        {
            "import_time": "2026-05-03T15:48:41.128067276Z",
            "sha256": "e6c3688b939c7d34bd5baa1f6f6d982f8c42613281c8025a80b3fa5d42e55ee6",
            "source": "ossf-package-analysis",
            "modified_time": "2026-05-03T15:39:54Z",
            "versions": [
                "99.99.9995"
            ]
        },
        {
            "import_time": "2026-05-03T16:19:56.02672771Z",
            "sha256": "a239618b3ac37b6b893174de0e258eb36b3a0a104ed97bb29e78d41ee29d1055",
            "source": "ossf-package-analysis",
            "modified_time": "2026-05-03T16:02:18Z",
            "versions": [
                "99.99.9996"
            ]
        },
        {
            "import_time": "2026-05-03T16:19:55.97665773Z",
            "sha256": "daa07f251ccced0e7fc3db2fd9c5ad42a02551f7797b3a0f8745dd000c1783f3",
            "source": "ossf-package-analysis",
            "modified_time": "2026-05-03T15:49:42Z",
            "versions": [
                "99.99.9992"
            ]
        },
        {
            "import_time": "2026-05-12T07:28:48.271889563Z",
            "sha256": "ffa107cadda6301a772af8727ebafd976365c28371cddd211c176a57b12715d9",
            "source": "amazon-inspector",
            "modified_time": "2026-05-12T06:53:21Z",
            "versions": [
                "99.99.9994",
                "99.99.9995",
                "99.99.9996",
                "99.99.9992"
            ]
        }
    ]
}

References

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com
- OpenSSF: Package Analysis - FINDER
- - https://github.com/ossf/package-analysis
  - https://openssf.slack.com/channels/package_analysis

Affected packages

npm / internal-company-module-test-1337

Package

Name: internal-company-module-test-1337; View open source insights on deps.dev
Purl: pkg:npm/internal-company-module-test-1337

Affected ranges

Affected versions

99.*

99.99.9992

99.99.9994

99.99.9995

99.99.9996

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/internal-company-module-test-1337/MAL-2026-3249.json"