{"id":"MAL-2026-2011","summary":"Malicious code in cms-catalogue (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (d08a53064a76469a8b5ab4afdb3aa2907127f26f98ac8255e3ae650f8ce5d1ba)\nThe package cms-catalogue was found to contain malicious code.\n\n## Source: ossf-package-analysis (b1e5887ae48f20db99c60c5424798e9abab99d40af1c9f62074ea43ddbe9eb82)\nThe OpenSSF Package Analysis project identified 'cms-catalogue' @ 99.0.0 (npm) as malicious.\n\nIt is considered malicious because:\n\n- The package communicates with a domain associated with malicious activity.\n\n- The package executes one or more commands associated with malicious behavior.\n","modified":"2026-03-23T05:41:10.840152Z","published":"2026-03-21T10:35:35Z","database_specific":{"malicious-packages-origins":[{"modified_time":"2026-03-21T10:35:35Z","versions":["99.0.0"],"sha256":"b1e5887ae48f20db99c60c5424798e9abab99d40af1c9f62074ea43ddbe9eb82","import_time":"2026-03-21T10:43:56.140798613Z","source":"ossf-package-analysis"},{"modified_time":"2026-03-21T10:40:18Z","versions":["99.0.1"],"sha256":"e2b6e877ee3e0be9b6fa0c5ca347f01ce90381e62e9c5ad293879cb0173b6742","import_time":"2026-03-22T23:10:11.028567254Z","source":"ossf-package-analysis"},{"modified_time":"2026-03-23T05:11:41Z","versions":["99.0.0","99.0.1"],"sha256":"d08a53064a76469a8b5ab4afdb3aa2907127f26f98ac8255e3ae650f8ce5d1ba","import_time":"2026-03-23T05:14:20.835645225Z","source":"amazon-inspector"}]},"affected":[{"package":{"name":"cms-catalogue","ecosystem":"npm","purl":"pkg:npm/cms-catalogue"},"versions":["99.0.0","99.0.1"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/cms-catalogue/MAL-2026-2011.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"},{"name":"OpenSSF: Package Analysis","contact":["https://github.com/ossf/package-analysis","https://openssf.slack.com/channels/package_analysis"],"type":"FINDER"}]}