{"id":"MAL-2026-3016","summary":"Malicious code in amazon-q-developer-streaming-client (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (2612d348229614bb857a8f2c30c1ad2d66954d7a05073f15319f8aca2fb1a86d)\nThe package amazon-q-developer-streaming-client was found to contain malicious code.\n\n## Source: ossf-package-analysis (bedb03611546444363288fafa5c9320d572a8fc1bcbfd52a1886076523c182d7)\nThe OpenSSF Package Analysis project identified 'amazon-q-developer-streaming-client' @ 99.9.13 (npm) as malicious.\n\nIt is considered malicious because:\n\n- The package communicates with a domain associated with malicious activity.\n\n- The package executes one or more commands associated with malicious behavior.\n","modified":"2026-04-24T07:02:57.309316Z","published":"2026-04-23T13:15:52Z","database_specific":{"malicious-packages-origins":[{"modified_time":"2026-04-23T13:35:47Z","source":"ossf-package-analysis","sha256":"bedb03611546444363288fafa5c9320d572a8fc1bcbfd52a1886076523c182d7","import_time":"2026-04-23T13:37:41.562171991Z","versions":["99.9.13"]},{"modified_time":"2026-04-23T13:40:50Z","source":"ossf-package-analysis","sha256":"ca380d122effc585a4688a2463b822cba039581576471979a57f4bf67cf505b3","import_time":"2026-04-23T14:50:28.134605785Z","versions":["99.9.15"]},{"modified_time":"2026-04-23T20:43:56Z","source":"amazon-inspector","sha256":"2612d348229614bb857a8f2c30c1ad2d66954d7a05073f15319f8aca2fb1a86d","import_time":"2026-04-23T20:49:02.379061858Z","versions":["99.9.13","99.9.15"]},{"modified_time":"2026-04-23T13:15:52Z","source":"ossf-package-analysis","sha256":"2b62909108b789f041fc590407cb04c9e9d85d5ba7071c9573c98f981a8caed2","import_time":"2026-04-24T06:46:17.444704011Z","versions":["99.9.11"]}]},"affected":[{"package":{"name":"amazon-q-developer-streaming-client","ecosystem":"npm","purl":"pkg:npm/amazon-q-developer-streaming-client"},"versions":["99.9.13","99.9.15","99.9.11"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/amazon-q-developer-streaming-client/MAL-2026-3016.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"},{"name":"OpenSSF: Package Analysis","contact":["https://github.com/ossf/package-analysis","https://openssf.slack.com/channels/package_analysis"],"type":"FINDER"}]}