{"id":"MAL-2024-10653","summary":"Malicious code in @sportdigi/bootstrapper (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: ossf-package-analysis (606eac7e59a098b487b61377214416850ff371fc507eb544c97622670ff87dc8)\nThe OpenSSF Package Analysis project identified '@sportdigi/bootstrapper' @ 12.1.2 (npm) as malicious.\n\nIt is considered malicious because:\n\n- The package communicates with a domain associated with malicious activity.\n\n- The package executes one or more commands associated with malicious behavior.\n","modified":"2024-11-15T20:35:40Z","published":"2024-11-13T10:11:20Z","database_specific":{"malicious-packages-origins":[{"modified_time":"2024-11-13T10:11:20Z","sha256":"606eac7e59a098b487b61377214416850ff371fc507eb544c97622670ff87dc8","import_time":"2024-11-13T10:37:24.247128903Z","source":"ossf-package-analysis","versions":["12.1.2"]},{"modified_time":"2024-11-13T10:38:38Z","sha256":"b1f862d70f50ccfadb3942f07b0c46800bd4971837e3913953b800811a964952","import_time":"2024-11-13T11:05:07.099222766Z","source":"ossf-package-analysis","versions":["12.1.3"]},{"modified_time":"2024-11-13T11:30:50Z","sha256":"a866d4ed0958614d4f0034a2594c90fceaa90f6f471c769ee37f0dcdd456db19","import_time":"2024-11-13T11:34:26.352846519Z","source":"ossf-package-analysis","versions":["15.1.0"]},{"modified_time":"2024-11-13T12:45:39Z","sha256":"8bc611a87a7291672670b28e7628c988301fcf52454e4a697a7eb90bad3f3085","import_time":"2024-11-13T12:46:07.341728524Z","source":"ossf-package-analysis","versions":["17.1.0"]},{"modified_time":"2024-11-13T12:50:25Z","sha256":"0150cb4985e59dca650171035ea6913a23851721a195665073f218bb996dc8ac","import_time":"2024-11-13T13:09:20.685944135Z","source":"ossf-package-analysis","versions":["14.1.0"]},{"modified_time":"2024-11-14T13:33:58Z","sha256":"9933fc51d94e1f7fb9e64dd84eb30c2f36db22967b0536e1aa64a00e3b725d9d","import_time":"2024-11-14T13:37:10.868181928Z","source":"ossf-package-analysis","versions":["18.1.0"]},{"modified_time":"2024-11-14T13:47:50Z","sha256":"f49a1667bc0936dd1b8ef64447c4b7bfd108e268067687bbfcc5a62c559efafb","import_time":"2024-11-14T14:05:18.785795394Z","source":"ossf-package-analysis","versions":["19.1.0"]},{"modified_time":"2024-11-14T14:50:56Z","sha256":"552ae4f8cab37c1b5ac4cfed11f65ce2061f2a9051369a488ee8b8958042cbd2","import_time":"2024-11-14T15:05:29.441774893Z","source":"ossf-package-analysis","versions":["21.1.0"]},{"modified_time":"2024-11-14T15:05:54Z","sha256":"eb7017fda29ef672dc5434322a4998c9ec16a6b00abd6da8ddac55ee1ab228ed","import_time":"2024-11-14T15:35:52.368650546Z","source":"ossf-package-analysis","versions":["22.1.0"]},{"modified_time":"2024-11-14T15:55:56Z","sha256":"ad1b79a8453506433c0262901a8e62e5e2e339695fffac16639562cf73f53742","import_time":"2024-11-14T16:06:25.434519794Z","source":"ossf-package-analysis","versions":["23.1.0"]},{"modified_time":"2024-11-14T17:00:52Z","sha256":"c3ef377ddccb9dffa327f7a6ad3dfe309b140b2cbdeaf9344b61ee1fa02311d6","import_time":"2024-11-14T17:05:15.38749747Z","source":"ossf-package-analysis","versions":["24.1.0"]},{"modified_time":"2024-11-14T17:55:07Z","sha256":"c4a1bfeee069f396ecded1dc4d16ebb65ed629ba744dd238dbae1cebb30ad407","import_time":"2024-11-14T18:06:46.843549234Z","source":"ossf-package-analysis","versions":["25.1.0"]},{"modified_time":"2024-11-14T18:12:50Z","sha256":"e1e621b57176168201ebd0bc8c49972cecdd1f8db9da200504d11ed96efcec8d","import_time":"2024-11-14T18:39:07.668046639Z","source":"ossf-package-analysis","versions":["25.1.0"]},{"modified_time":"2024-11-14T18:55:37Z","sha256":"0e37ebad501c96a3638cf55c011f4c8212a264dc9e70ab3b5cfbb71927379806","import_time":"2024-11-14T19:05:03.386138802Z","source":"ossf-package-analysis","versions":["27.1.0"]},{"modified_time":"2024-11-14T19:15:20Z","sha256":"f368dc856c7c20c0e2b624c649d7f1c8aa0d470be7c53d8a271794bd16112dd1","import_time":"2024-11-14T19:34:09.680125184Z","source":"ossf-package-analysis","versions":["29.1.0"]},{"modified_time":"2024-11-14T21:08:38Z","sha256":"a02722852b2c7b5631e4531a44359a3aef19b4617c50104c174d0489d6d89c45","import_time":"2024-11-14T21:34:15.228119279Z","source":"ossf-package-analysis","versions":["30.1.0"]},{"modified_time":"2024-11-15T20:30:10Z","sha256":"0a6b53a3d5f465330166e2cc8e6336ac159ea8dc5c4b27b3458427c09cab5630","import_time":"2024-11-15T20:35:14.801295845Z","source":"ossf-package-analysis","versions":["34.1.0"]},{"modified_time":"2024-11-15T20:28:14Z","sha256":"6104d1700ab684ef9c3d161095d5f38dd59ddc82a9674a9141b26386691e3cbe","import_time":"2024-11-15T20:35:14.72345131Z","source":"ossf-package-analysis","versions":["32.1.0"]},{"modified_time":"2024-11-15T20:14:38Z","sha256":"9a58947bf96d58f3d3428b7a7fcbea36aad8e21894b09f2f08612499a0760e2f","import_time":"2024-11-15T20:35:14.660802057Z","source":"ossf-package-analysis","versions":["31.1.0"]}]},"affected":[{"package":{"name":"@sportdigi/bootstrapper","ecosystem":"npm","purl":"pkg:npm/%40sportdigi/bootstrapper"},"versions":["12.1.2","12.1.3","15.1.0","17.1.0","14.1.0","18.1.0","19.1.0","21.1.0","22.1.0","23.1.0","24.1.0","25.1.0","27.1.0","29.1.0","30.1.0","34.1.0","32.1.0","31.1.0"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@sportdigi/bootstrapper/MAL-2024-10653.json"}}],"schema_version":"1.7.3","credits":[{"name":"OpenSSF: Package Analysis","contact":["https://github.com/ossf/package-analysis","https://openssf.slack.com/channels/package_analysis"],"type":"FINDER"}]}