{"id":"MAL-2025-5249","summary":"Malicious code in nstmrt-stf-api (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: ossf-package-analysis (0da052c315a64ad23ddcebd853a91fc2f81597d0cd587326b5f7554911cc9d73)\nThe OpenSSF Package Analysis project identified 'nstmrt-stf-api' @ 1.0.10 (npm) as malicious.\n\nIt is considered malicious because:\n\n- The package communicates with a domain associated with malicious activity.\n\n- The package executes one or more commands associated with malicious behavior.\n","modified":"2025-06-25T11:06:06Z","published":"2025-06-25T06:50:40Z","database_specific":{"malicious-packages-origins":[{"sha256":"4eae18e33d6846a98b7a18d6c8ee414cdd48d428e3a07d96c8d26146d0c8c4e3","import_time":"2025-06-25T07:06:39.552385073Z","source":"ossf-package-analysis","modified_time":"2025-06-25T06:55:36Z","versions":["1.0.4"]},{"sha256":"acd5c568fbddcb6dca4f02d83465f59af8ac27c64818ac44aa1044e06be1e496","import_time":"2025-06-25T07:06:39.476284985Z","source":"ossf-package-analysis","modified_time":"2025-06-25T06:50:40Z","versions":["1.0.2"]},{"sha256":"ce5f5094cff990f3b5d3d06e06d90210851478314546638a3f9de1c7b083a45a","import_time":"2025-06-25T07:06:39.6168634Z","source":"ossf-package-analysis","modified_time":"2025-06-25T07:00:59Z","versions":["1.0.5"]},{"sha256":"c3464a00c60398b4df74a3f728620dfa8865bf7f9c052c4930e756bcb250eaa9","import_time":"2025-06-25T07:36:08.017264735Z","source":"ossf-package-analysis","modified_time":"2025-06-25T07:22:42Z","versions":["1.0.7"]},{"sha256":"0da052c315a64ad23ddcebd853a91fc2f81597d0cd587326b5f7554911cc9d73","import_time":"2025-06-25T11:05:34.033853137Z","source":"ossf-package-analysis","modified_time":"2025-06-25T10:40:52Z","versions":["1.0.10"]},{"sha256":"510379bc3b9478a5743a70e95c73bd9ceb20a021d98f5c503a7630290f574875","import_time":"2025-06-25T11:05:34.135905622Z","source":"ossf-package-analysis","modified_time":"2025-06-25T10:46:01Z","versions":["1.0.11"]},{"sha256":"ef385cb9276f71304b089fddd9d05b60237724a5e5fdeea3398059ef20ad6602","import_time":"2025-06-25T11:05:34.260818318Z","source":"ossf-package-analysis","modified_time":"2025-06-25T10:51:28Z","versions":["1.0.12"]}]},"affected":[{"package":{"name":"nstmrt-stf-api","ecosystem":"npm","purl":"pkg:npm/nstmrt-stf-api"},"versions":["1.0.4","1.0.2","1.0.5","1.0.7","1.0.10","1.0.11","1.0.12"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/nstmrt-stf-api/MAL-2025-5249.json"}}],"schema_version":"1.7.3","credits":[{"name":"OpenSSF: Package Analysis","contact":["https://github.com/ossf/package-analysis","https://openssf.slack.com/channels/package_analysis"],"type":"FINDER"}]}