{"id":"MAL-2025-42486","summary":"Malicious code in @eooce/sbx (npm)","details":"The package @eooce/sbx was found to contain malicious code.\n\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: ossf-package-analysis (0c3f68a08af76f3c5412daa2b25a618ab31f5541ee496dec1392afedcf86ec33)\nThe OpenSSF Package Analysis project identified '@eooce/sbx' @ 2.0.7 (npm) as malicious.\n\nIt is considered malicious because:\n\n- The package executes one or more commands associated with malicious behavior.\n","modified":"2025-09-08T04:38:55Z","published":"2025-08-12T19:51:34Z","database_specific":{"malicious-packages-origins":[{"import_time":"2025-09-08T03:43:50.270058725Z","sha256":"0c3f68a08af76f3c5412daa2b25a618ab31f5541ee496dec1392afedcf86ec33","modified_time":"2025-08-23T17:41:21Z","versions":["2.0.7"],"source":"ossf-package-analysis"},{"import_time":"2025-09-08T03:43:50.071168045Z","sha256":"4bb82c00eb02fcd04c06cb76e8dae54522e79bc2f16f87bf03068e633b890859","modified_time":"2025-08-16T11:12:30Z","versions":["2.0.1"],"source":"ossf-package-analysis"},{"import_time":"2025-09-08T03:43:49.819634449Z","sha256":"5f25ffb6684a1daabb8bf7506196546219b374a765f2eee49268daf500314255","modified_time":"2025-08-12T19:56:23Z","versions":["1.0.1"],"source":"ossf-package-analysis"},{"import_time":"2025-09-08T03:43:49.960011553Z","sha256":"74b2386df1e09efe1381778ed61a4e3b442d5d024d125b6408f0b989a62b40bc","modified_time":"2025-08-16T11:10:39Z","versions":["2.0.0"],"source":"ossf-package-analysis"},{"import_time":"2025-09-08T03:43:49.893646419Z","sha256":"85d05f8bb6d70096cf81ab0a2a2ac3927a6281266d1d262640d84ae139f62231","modified_time":"2025-08-16T10:33:27Z","versions":["1.0.3"],"source":"ossf-package-analysis"},{"import_time":"2025-09-08T03:43:50.376290012Z","sha256":"9a742d079042182542d4b0eeebdadf590d8be2c7519dea2e11ac2a22df0a3b3a","modified_time":"2025-08-23T18:34:54Z","versions":["2.0.8"],"source":"ossf-package-analysis"},{"import_time":"2025-09-08T03:43:50.169845049Z","sha256":"b3f8434bafb02c9ee4bcb5f721b58588fea0bd42494b28a8dcc04e7878f6a202","modified_time":"2025-08-18T12:01:32Z","versions":["2.0.6"],"source":"ossf-package-analysis"},{"import_time":"2025-09-08T04:38:17.849607655Z","sha256":"36c4eb81cc1cd7cc2b0876ba21a13392a01f9dd4b8097073045e368b3d531a5f","modified_time":"2025-08-12T19:51:34Z","versions":["1.0.0"],"source":"ossf-package-analysis"}]},"affected":[{"package":{"name":"@eooce/sbx","ecosystem":"npm","purl":"pkg:npm/%40eooce/sbx"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"}]}],"versions":["2.0.7","2.0.1","1.0.1","2.0.0","1.0.3","2.0.8","2.0.6","1.0.0"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@eooce/sbx/MAL-2025-42486.json"}}],"schema_version":"1.7.3","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"},{"name":"OpenSSF: Package Analysis","contact":["https://github.com/ossf/package-analysis","https://openssf.slack.com/channels/package_analysis"],"type":"FINDER"}]}