{"id":"MAL-2025-21882","summary":"Malicious code in graphnetworkx (npm)","details":"The package graphnetworkx was found to contain malicious code.\n\n---\n_-= Per source details. Do not edit below this line.=-_\n","modified":"2026-04-16T15:55:14.658906Z","published":"2025-08-14T18:52:04Z","database_specific":{"malicious-packages-origins":[{"modified_time":"2025-08-28T07:29:58Z","source":"reversing-labs","sha256":"50c06ef08dc76e72bdc78082ce89a830f60bfcf42fd9217d17b5622d732a3acd","import_time":"2025-08-29T06:42:24.075211711Z","versions":["2.1.6","2.1.7","2.1.8","2.1.9","2.1.11"],"id":"RLMA-2025-04549"},{"modified_time":"2025-09-26T09:32:36Z","source":"reversing-labs","sha256":"12b124e4a03debd491edf59b6c4f40ae3a41fac5ef33689178ce4f80d55399ff","import_time":"2025-09-26T11:06:11.993091001Z","versions":["2.1.10"],"id":"RLUA-2025-05027"},{"modified_time":"2026-04-16T09:59:32Z","source":"reversing-labs","sha256":"f27b5ce759d704d77e6c23e783e7700e8bcd0dbf2d54e822e817f3ae260c2298","import_time":"2026-04-16T15:39:29.664772746Z","id":"RLUA-2026-01964"}]},"references":[{"type":"ARTICLE","url":"https://www.reversinglabs.com/blog/inside-graphalgo"}],"affected":[{"package":{"name":"graphnetworkx","ecosystem":"npm","purl":"pkg:npm/graphnetworkx"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"}]}],"versions":["2.1.6","2.1.7","2.1.8","2.1.9","2.1.11","2.1.10"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/graphnetworkx/MAL-2025-21882.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"},{"name":"ReversingLabs","contact":["https://www.reversinglabs.com"],"type":"FINDER"}]}