{"id":"MAL-2026-2447","summary":"Malicious code in @toprank/partner (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (78a6d41a400b329c496f199f979216a151264b95d960a177b3b0347e6b3cf10e)\nThe package @toprank/partner was found to contain malicious code.\n\n## Source: ossf-package-analysis (5758f4b3b20d628c49a22e4eb09f54e9604d6b00fa68dee107701a175d9fa632)\nThe OpenSSF Package Analysis project identified '@toprank/partner' @ 99.99.11 (npm) as malicious.\n\nIt is considered malicious because:\n\n- The package communicates with a domain associated with malicious activity.\n","modified":"2026-04-10T01:37:32.033299Z","published":"2026-04-03T07:43:43Z","database_specific":{"malicious-packages-origins":[{"sha256":"5758f4b3b20d628c49a22e4eb09f54e9604d6b00fa68dee107701a175d9fa632","versions":["99.99.11"],"modified_time":"2026-04-03T07:43:43Z","import_time":"2026-04-03T09:49:15.314128549Z","source":"ossf-package-analysis"},{"sha256":"78a6d41a400b329c496f199f979216a151264b95d960a177b3b0347e6b3cf10e","versions":["99.99.11"],"modified_time":"2026-04-07T14:24:50Z","import_time":"2026-04-07T14:39:24.611593123Z","source":"amazon-inspector"}]},"affected":[{"package":{"name":"@toprank/partner","ecosystem":"npm","purl":"pkg:npm/%40toprank/partner"},"versions":["99.99.11","99.99.12","99.99.13"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@toprank/partner/MAL-2026-2447.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"},{"name":"OpenSSF: Package Analysis","contact":["https://github.com/ossf/package-analysis","https://openssf.slack.com/channels/package_analysis"],"type":"FINDER"},{"name":"SafeDep","contact":["https://safedep.io"],"type":"FINDER"}]}