MAL-2026-4659

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/rdflib/MAL-2026-4659.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-4659
Withdrawn
2026-05-26T22:13:04Z
Published
2026-05-20T01:41:42Z
Modified
2026-05-27T00:32:12.944538661Z
Summary
Malicious code in rdflib (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (fb9a536a077e23bda8e10a55aa1177de28f4f5a8622e08914eeab437e8036940)

package.json for this release declares two runtime dependencies — "package-lock.json": "^1.0.0" and "package.json": "^2.0.1" — inside the dependencies block. These are bare names that npm resolves from the public registry, not local files. Neither name is required or referenced anywhere in the rdflib source, so they serve no functional purpose for the library. Their only effect is that running npm install rdflib@2.3.7 will fetch and install those two third-party packages and execute any of their lifecycle scripts on the installer's machine. The names are confusingly chosen to mimic standard npm artifact filenames, which obscures the dependency injection during casual review of package.json. This pattern is consistent with a hijacked/tampered release pulling attacker-controlled transitive code into the installer's dependency tree under the cover of a trusted package name (rdflib).

Database specific
{
    "malicious-packages-origins": [
        {
            "versions": [
                "2.3.7"
            ],
            "sha256": "fb9a536a077e23bda8e10a55aa1177de28f4f5a8622e08914eeab437e8036940",
            "modified_time": "2026-05-20T01:41:42Z",
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-003371",
            "import_time": "2026-05-26T05:50:30.660742019Z"
        }
    ]
}
References
Credits

Affected packages

npm / rdflib

Package

Affected ranges

Affected versions

2.*
2.3.7

Database specific

indicators
{
    "package_integrity": [
        {
            "filename": "rdflib-2.3.7.tgz",
            "hashes": {
                "sha512_sri": "sha512-rpDq7AD8GrMO8aKu0FNoIfht2NNnIuP2JLGZvzBW+vfyRRU2HY0qHR9VHPB6udyIaPVAhUW/+QCcrEvbcglC1g==",
                "sha1": "d9ed702d6dc86c6574fb59a731ee2d7e33e97fe1"
            }
        }
    ],
    "evidence_files": [
        {
            "sha256": "11a3ea7bb53c614c2e736ff7f2b879cbe9ac78ef0c7dbf5ff74f40b875f224a9",
            "path": "package.json",
            "tlsh": "75f1ef5fde438e6b0a800898d4b442c2b53094bb4944fc9977ad446c5fcc26f7b79ead"
        }
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/rdflib/MAL-2026-4659.json"
cwes
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]