{"id":"MAL-2026-1037","summary":"Malicious code in get-fonts (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (8d55d952f3fb507a89362a1535e7cf7d781b6f26e82c7130ca008af612bfddf4)\nThe package get-fonts was found to contain malicious code.\n\n## Source: ossf-package-analysis (a255823975ed0735c5e9f65f1bb25526673b56262c85cacdae52072ef8b7910b)\nThe OpenSSF Package Analysis project identified 'get-fonts' @ 9.9.9 (npm) as malicious.\n\nIt is considered malicious because:\n\n- The package executes one or more commands associated with malicious behavior.\n","modified":"2026-03-19T12:44:34.954202Z","published":"2026-02-25T04:20:48Z","database_specific":{"malicious-packages-origins":[{"sha256":"a255823975ed0735c5e9f65f1bb25526673b56262c85cacdae52072ef8b7910b","source":"ossf-package-analysis","import_time":"2026-02-26T01:37:59.943223273Z","modified_time":"2026-02-25T04:20:48Z","versions":["9.9.9"]},{"sha256":"8d55d952f3fb507a89362a1535e7cf7d781b6f26e82c7130ca008af612bfddf4","source":"amazon-inspector","import_time":"2026-03-01T20:41:58.374546171Z","modified_time":"2026-03-01T20:25:57Z","versions":["9.9.9"]},{"sha256":"2e0693155674102e265f96e09d2d85a210daac8246ba41e4a9961d5a7c16f682","source":"reversing-labs","id":"RLMA-2026-01333","import_time":"2026-03-19T12:18:53.693160334Z","modified_time":"2026-03-18T12:52:40Z","versions":["9.9.9"]}]},"affected":[{"package":{"name":"get-fonts","ecosystem":"npm","purl":"pkg:npm/get-fonts"},"versions":["9.9.9"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/get-fonts/MAL-2026-1037.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"},{"name":"OpenSSF: Package Analysis","contact":["https://github.com/ossf/package-analysis","https://openssf.slack.com/channels/package_analysis"],"type":"FINDER"},{"name":"ReversingLabs","contact":["https://www.reversinglabs.com"],"type":"FINDER"}]}