{"id":"MAL-2026-2954","summary":"Malicious code in bmg-web-features (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: ossf-package-analysis (4c1019887de50566ea9613d5f52b7053ef8ce60908337628432831aa4e3dd63d)\nThe OpenSSF Package Analysis project identified 'bmg-web-features' @ 999.99.9 (npm) as malicious.\n\nIt is considered malicious because:\n\n- The package communicates with a domain associated with malicious activity.\n","modified":"2026-04-20T16:48:56.175408Z","published":"2026-04-20T16:01:19Z","database_specific":{"malicious-packages-origins":[{"modified_time":"2026-04-20T16:01:19Z","source":"ossf-package-analysis","sha256":"4c1019887de50566ea9613d5f52b7053ef8ce60908337628432831aa4e3dd63d","import_time":"2026-04-20T16:31:17.006489834Z","versions":["999.99.9"]}]},"affected":[{"package":{"name":"bmg-web-features","ecosystem":"npm","purl":"pkg:npm/bmg-web-features"},"versions":["999.99.9"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/bmg-web-features/MAL-2026-2954.json"}}],"schema_version":"1.7.5","credits":[{"name":"OpenSSF: Package Analysis","contact":["https://github.com/ossf/package-analysis","https://openssf.slack.com/channels/package_analysis"],"type":"FINDER"}]}