{"id":"MAL-2026-1060","summary":"Malicious code in @zinley/orion (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (cb5209e6394eac2659ab3101809c2a59bf59a604346075a9d923de21d982812e)\nThe package @zinley/orion was found to contain malicious code.\n\n## Source: ossf-package-analysis (a95d28c38ccf003df2b9dc25d727029f92363da1024197f4f69e03600edf1f52)\nThe OpenSSF Package Analysis project identified '@zinley/orion' @ 1.2.31 (npm) as malicious.\n\nIt is considered malicious because:\n\n- The package executes one or more commands associated with malicious behavior.\n","modified":"2026-03-01T20:59:46.737864Z","published":"2026-02-27T12:04:26Z","database_specific":{"malicious-packages-origins":[{"versions":["1.2.31"],"modified_time":"2026-02-27T12:04:26Z","source":"ossf-package-analysis","import_time":"2026-02-27T12:16:02.668156203Z","sha256":"a95d28c38ccf003df2b9dc25d727029f92363da1024197f4f69e03600edf1f52"},{"versions":["1.2.32"],"modified_time":"2026-02-27T12:26:24Z","source":"ossf-package-analysis","import_time":"2026-02-27T12:49:20.799223946Z","sha256":"58cce0e26f7676572b6a54db1222ce246acb21536784cb0ae52f48e3ac35e0c6"},{"versions":["1.2.34"],"modified_time":"2026-02-27T19:28:17Z","source":"ossf-package-analysis","import_time":"2026-02-27T19:44:09.848789525Z","sha256":"7c92d8d41be63dcdc94a8c09f346c213ca2f8823de3548d80b4c3ad45ae09777"},{"versions":["1.2.36"],"modified_time":"2026-02-27T19:38:21Z","source":"ossf-package-analysis","import_time":"2026-02-27T19:44:09.93195615Z","sha256":"c4b63a9c929b3660443f58620eb6982b71d71b78a8ee6d6d16c078f0ed1c46cb"},{"versions":["1.2.38"],"modified_time":"2026-02-27T19:41:26Z","source":"ossf-package-analysis","import_time":"2026-02-27T19:44:10.040113899Z","sha256":"e1d2a7fc9cdbc0633cedb34394859ca6e718a030096e016109772a67f0f603d3"},{"versions":["1.2.39"],"modified_time":"2026-02-27T19:49:11Z","source":"ossf-package-analysis","import_time":"2026-02-27T20:11:08.474476961Z","sha256":"ca8a5e48ab4bd2e5947da3afc25e17aeef7d2f0270fc3e123819b57fd2ea2aba"},{"versions":["1.2.31","1.2.32","1.2.34","1.2.36","1.2.38","1.2.39"],"modified_time":"2026-03-01T20:25:57Z","source":"amazon-inspector","import_time":"2026-03-01T20:41:57.21348324Z","sha256":"cb5209e6394eac2659ab3101809c2a59bf59a604346075a9d923de21d982812e"}]},"affected":[{"package":{"name":"@zinley/orion","ecosystem":"npm","purl":"pkg:npm/%40zinley/orion"},"versions":["1.2.31","1.2.32","1.2.34","1.2.36","1.2.38","1.2.39"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@zinley/orion/MAL-2026-1060.json"}}],"schema_version":"1.7.3","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"},{"name":"OpenSSF: Package Analysis","contact":["https://github.com/ossf/package-analysis","https://openssf.slack.com/channels/package_analysis"],"type":"FINDER"}]}