{"id":"MAL-2026-1582","summary":"Malicious code in whatnot-manifests (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (2f0504ddd24de9ec3870bb8fc657436f5a61e3f6327f0e044bc380bfe3479d40)\nThe package whatnot-manifests was found to contain malicious code.\n\n## Source: ossf-package-analysis (050ffab3343a46b5adab9d17bf1d817086d336b52579f1f9c416e05355707873)\nThe OpenSSF Package Analysis project identified 'whatnot-manifests' @ 99.0.4 (npm) as malicious.\n\nIt is considered malicious because:\n\n- The package communicates with a domain associated with malicious activity.\n","modified":"2026-03-23T05:34:59.465741Z","published":"2026-03-19T08:24:20Z","database_specific":{"malicious-packages-origins":[{"sha256":"050ffab3343a46b5adab9d17bf1d817086d336b52579f1f9c416e05355707873","source":"ossf-package-analysis","import_time":"2026-03-19T08:47:47.61094518Z","versions":["99.0.4"],"modified_time":"2026-03-19T08:24:20Z"},{"sha256":"2f0504ddd24de9ec3870bb8fc657436f5a61e3f6327f0e044bc380bfe3479d40","source":"amazon-inspector","import_time":"2026-03-23T05:14:29.648755094Z","versions":["99.0.4"],"modified_time":"2026-03-23T05:11:41Z"}]},"affected":[{"package":{"name":"whatnot-manifests","ecosystem":"npm","purl":"pkg:npm/whatnot-manifests"},"versions":["99.0.4"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/whatnot-manifests/MAL-2026-1582.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"},{"name":"OpenSSF: Package Analysis","contact":["https://github.com/ossf/package-analysis","https://openssf.slack.com/channels/package_analysis"],"type":"FINDER"}]}