MAL-2026-3352

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/carbonite-internal/MAL-2026-3352.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-3352
Published
2026-05-06T06:20:35Z
Modified
2026-05-12T07:56:18.557420Z
Summary
Malicious code in carbonite-internal (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (4fec002c13bf1ef1b49658e5dc490ca30515cf414294154827adadab04cbc234)

The package carbonite-internal was found to contain malicious code.

Source: ossf-package-analysis (9187d7e1d292c21fa0cb37a0ef02fbc1ebcd489eb60d2bc753329f0f27d275ee)

The OpenSSF Package Analysis project identified 'carbonite-internal' @ 99.9.0 (npm) as malicious.

It is considered malicious because:

  • The package communicates with a domain associated with malicious activity.
Database specific 
{
    "malicious-packages-origins": [
        {
            "modified_time": "2026-05-06T06:20:35Z",
            "import_time": "2026-05-06T08:20:09.872382207Z",
            "versions": [
                "99.9.0"
            ],
            "source": "ossf-package-analysis",
            "sha256": "9187d7e1d292c21fa0cb37a0ef02fbc1ebcd489eb60d2bc753329f0f27d275ee"
        },
        {
            "modified_time": "2026-05-12T06:53:21Z",
            "import_time": "2026-05-12T07:28:47.523607353Z",
            "versions": [
                "99.9.0"
            ],
            "source": "amazon-inspector",
            "sha256": "4fec002c13bf1ef1b49658e5dc490ca30515cf414294154827adadab04cbc234"
        }
    ]
}
References
Credits

Affected packages

npm / carbonite-internal

Package

Name
carbonite-internal
View open source insights on deps.dev
Purl
pkg:npm/carbonite-internal

Affected ranges

Affected versions

99.*
99.9.0

Database specific

source 
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/carbonite-internal/MAL-2026-3352.json"