Skip to content

added malicious packages#1190

Open
KunalSin9h wants to merge 4 commits intoossf:mainfrom
KunalSin9h:sd-malpkg-apr-6-2nd
Open

added malicious packages#1190
KunalSin9h wants to merge 4 commits intoossf:mainfrom
KunalSin9h:sd-malpkg-apr-6-2nd

Conversation

@KunalSin9h
Copy link
Copy Markdown
Contributor

@KunalSin9h KunalSin9h commented Apr 6, 2026

No description provided.

@KunalSin9h
Copy link
Copy Markdown
Contributor Author

KunalSin9h commented Apr 8, 2026
edited
Loading

@calebbrown please review.

elitsa-gosst
elitsa-gosst reviewed Apr 9, 2026
View reviewed changes
osv/malicious/npm/frontend-backoffice/MAL-0000-frontend-backoffice.json
"affected": [
{
"package": {
"name": "frontend-backoffice",
Copy link
Copy Markdown
Collaborator

@elitsa-gosst elitsa-gosst Apr 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wonder about the other packages by the same user: https://www.npmjs.com/~abuelkhairbugbounty - but maybe they aren't bad enough. Won't block on this tho.

Copy link
Copy Markdown
Contributor Author

@KunalSin9h KunalSin9h Apr 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@elitsa-gosst added other 2 packages too!

Copy link
Copy Markdown
Collaborator

@elitsa-gosst elitsa-gosst Apr 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks! Just a nit - why didn't you specify a version for this package but you did for the others?

Copy link
Copy Markdown
Contributor Author

@KunalSin9h KunalSin9h Apr 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@elitsa-gosst since all version of it is malicious, i use 0, for one of the package @telekom-wfa/auth-core, the latest version has removed the payload, hence only one version is malicious, for other package, it already had the record, so i just added 2 more versions, keeping original record.

elitsa-gosst
elitsa-gosst approved these changes Apr 9, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@elitsa-gosst elitsa-gosst left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for contributing!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@elitsa-gosst elitsa-gosst elitsa-gosst approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@KunalSin9h @elitsa-gosst