{"id":"MAL-2025-47388","summary":"Malicious code in @nativescript-community/ui-label (npm)","details":"The package was compromised and malicious code added.\n\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: google-open-source-security (a815032f1d690295898b5c01bd4d17cb73044eebda75187b2877e8299ded777a)\nThis package was compromised by the Shai-Hulud NPM worm. The malicious payload\nsteals tokens and credentials and publishes them to GitHub before propogating\nitself to NPM packages the user owns.\n","modified":"2025-09-17T06:23:36Z","published":"2025-09-16T17:05:44Z","database_specific":{"malicious-packages-origins":[{"modified_time":"2025-09-17T05:58:45Z","sha256":"a815032f1d690295898b5c01bd4d17cb73044eebda75187b2877e8299ded777a","versions":["1.3.36","1.3.37","1.3.35"],"import_time":"2025-09-17T05:59:34.663111Z","source":"google-open-source-security"}]},"references":[{"type":"WEB","url":"https://www.wiz.io/blog/shai-hulud-npm-supply-chain-attack"},{"type":"WEB","url":"https://semgrep.dev/blog/2025/security-advisory-npm-packages-using-secret-scanning-tools-to-steal-credentials/"},{"type":"WEB","url":"https://www.aikido.dev/blog/s1ngularity-nx-attackers-strike-again"},{"type":"WEB","url":"https://www.stepsecurity.io/blog/ctrl-tinycolor-and-40-npm-packages-compromised"},{"type":"WEB","url":"https://socket.dev/blog/tinycolor-supply-chain-attack-affects-40-packages"}],"affected":[{"package":{"name":"@nativescript-community/ui-label","ecosystem":"npm","purl":"pkg:npm/%40nativescript-community/ui-label"},"versions":["1.3.35","1.3.36","1.3.37"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@nativescript-community/ui-label/MAL-2025-47388.json","cwes":[{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."}]}}],"schema_version":"1.7.3","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}