{"id":"MAL-2026-1725","summary":"Malicious code in env-workflow-test (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (6c69ec15e609dd6c0e6dacd007a2467cc5e24a118f60cca22ec48c3b8225c4df)\nThe package env-workflow-test was found to contain malicious code.\n","modified":"2026-03-23T05:42:08.069874Z","published":"2026-03-18T12:48:56Z","database_specific":{"malicious-packages-origins":[{"sha256":"7e1e87193ac77c5f02695ec769b333d7ce96e67d9deb9e37e78723c898f362d9","versions":["2.1.4","2.1.5","2.1.6","2.1.7","2.1.8","2.1.9","2.1.10","2.1.12","2.1.13","2.1.14","2.1.15","2.1.16","2.1.17","2.1.18","2.1.19","2.1.20","2.1.21","2.1.22","2.1.23"],"import_time":"2026-03-19T12:18:49.080564068Z","id":"RLMA-2026-01286","modified_time":"2026-03-18T12:48:56Z","source":"reversing-labs"},{"sha256":"6c69ec15e609dd6c0e6dacd007a2467cc5e24a118f60cca22ec48c3b8225c4df","versions":["2.1.4","2.1.5","2.1.6","2.1.7","2.1.8","2.1.9","2.1.10","2.1.12","2.1.13","2.1.14","2.1.15","2.1.16","2.1.17","2.1.18","2.1.19","2.1.20","2.1.21","2.1.22","2.1.23"],"import_time":"2026-03-23T05:14:36.973677318Z","modified_time":"2026-03-23T05:11:41Z","source":"amazon-inspector"}]},"references":[{"type":"ARTICLE","url":"https://jfrog.com/blog/breaking-appsec-myths-obfuscated-packages"}],"affected":[{"package":{"name":"env-workflow-test","ecosystem":"npm","purl":"pkg:npm/env-workflow-test"},"versions":["2.1.4","2.1.5","2.1.6","2.1.7","2.1.8","2.1.9","2.1.10","2.1.12","2.1.13","2.1.14","2.1.15","2.1.16","2.1.17","2.1.18","2.1.19","2.1.20","2.1.21","2.1.22","2.1.23"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/env-workflow-test/MAL-2026-1725.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"},{"name":"ReversingLabs","contact":["https://www.reversinglabs.com"],"type":"FINDER"}]}