MAL-2026-996

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/rubygems/rubocop-vintedmetrics/MAL-2026-996.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-996
Published
2026-02-20T11:40:23Z
Modified
2026-02-23T03:40:14.036990Z
Summary
Malicious code in rubocop-vintedmetrics (RubyGems)
Details

-= Per source details. Do not edit below this line.=-

Source: ossf-package-analysis (c8e90dd88f71e05719940997342cf6a367387fc68045f091a864d8f8e7e62be8)

The OpenSSF Package Analysis project identified 'rubocop-vintedmetrics' @ 9.9.12 (rubygems) as malicious.

It is considered malicious because:

  • The package executes one or more commands associated with malicious behavior.
Database specific 
{
    "malicious-packages-origins": [
        {
            "import_time": "2026-02-23T03:07:52.220223781Z",
            "modified_time": "2026-02-20T11:40:23Z",
            "source": "ossf-package-analysis",
            "sha256": "1a13041dd3e44918a82ca4c4b7e67dea1635792de28ac662c53c269e709f657c",
            "versions": [
                "9.9.9"
            ]
        },
        {
            "import_time": "2026-02-23T03:07:52.320213505Z",
            "modified_time": "2026-02-21T03:10:24Z",
            "source": "ossf-package-analysis",
            "sha256": "c8e90dd88f71e05719940997342cf6a367387fc68045f091a864d8f8e7e62be8",
            "versions": [
                "9.9.12"
            ]
        }
    ]
}
References
Credits

Affected packages

RubyGems / rubocop-vintedmetrics

Package

Name
rubocop-vintedmetrics
Purl
pkg:gem/rubocop-vintedmetrics

Affected ranges

Affected versions

9.*
9.9.9
9.9.12

Database specific

source 
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/rubygems/rubocop-vintedmetrics/MAL-2026-996.json"