{"id":"MAL-2026-3126","summary":"Malicious code in lsh (crates.io)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: ossf-package-analysis (8cd6cecd3051e3998c5f96ec8dbe1bcfffc1ed7133d394a1779c8c1b0252c8c0)\nThe OpenSSF Package Analysis project identified 'lsh' @ 99.0.1 (crates.io) as malicious.\n\nIt is considered malicious because:\n\n- The package communicates with a domain associated with malicious activity.\n\n- The package executes one or more commands associated with malicious behavior.\n","modified":"2026-04-28T14:31:56.062542Z","published":"2026-04-28T01:45:56Z","database_specific":{"malicious-packages-origins":[{"source":"ossf-package-analysis","modified_time":"2026-04-28T01:45:56Z","sha256":"8cd6cecd3051e3998c5f96ec8dbe1bcfffc1ed7133d394a1779c8c1b0252c8c0","versions":["99.0.1"],"import_time":"2026-04-28T06:04:30.698576513Z"},{"source":"ossf-package-analysis","modified_time":"2026-04-28T13:41:20Z","sha256":"0d659fd33aac3eba6d4a9616642cd843d8cb7ae8a7433d94cad9dade68235d9e","versions":["99.1.0"],"import_time":"2026-04-28T14:18:17.125757194Z"}]},"affected":[{"package":{"name":"lsh","ecosystem":"crates.io","purl":"pkg:cargo/lsh"},"versions":["99.0.1","99.1.0"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/crates.io/lsh/MAL-2026-3126.json"}}],"schema_version":"1.7.5","credits":[{"name":"OpenSSF: Package Analysis","contact":["https://github.com/ossf/package-analysis","https://openssf.slack.com/channels/package_analysis"],"type":"FINDER"}]}