{"id":"MAL-2026-2520","summary":"Malicious code in @signals-notebook/utils (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (6385e6085b941d851ce17c44dac94bb93521dad91d75b4d284a3dc8f9d367c2e)\nThe package @signals-notebook/utils was found to contain malicious code.\n\n## Source: ossf-package-analysis (07f61f31b3dae1028ea2fe3d1cebf380485f20cd87ae448f7d59c3b4e716eac1)\nThe OpenSSF Package Analysis project identified '@signals-notebook/utils' @ 0.0.1 (npm) as malicious.\n\nIt is considered malicious because:\n\n- The package communicates with a domain associated with malicious activity.\n\n- The package executes one or more commands associated with malicious behavior.\n","modified":"2026-04-10T17:35:37.547264Z","published":"2026-04-09T11:05:56Z","database_specific":{"malicious-packages-origins":[{"modified_time":"2026-04-09T11:05:56Z","versions":["0.0.1"],"source":"ossf-package-analysis","sha256":"07f61f31b3dae1028ea2fe3d1cebf380485f20cd87ae448f7d59c3b4e716eac1","import_time":"2026-04-09T11:25:21.744187277Z"},{"modified_time":"2026-04-10T17:02:58Z","versions":["0.0.1"],"source":"amazon-inspector","sha256":"6385e6085b941d851ce17c44dac94bb93521dad91d75b4d284a3dc8f9d367c2e","import_time":"2026-04-10T17:21:50.293850539Z"}]},"affected":[{"package":{"name":"@signals-notebook/utils","ecosystem":"npm","purl":"pkg:npm/%40signals-notebook/utils"},"versions":["0.0.1"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@signals-notebook/utils/MAL-2026-2520.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"},{"name":"OpenSSF: Package Analysis","contact":["https://github.com/ossf/package-analysis","https://openssf.slack.com/channels/package_analysis"],"type":"FINDER"}]}