{"id":"MAL-2026-3128","summary":"Malicious code in wm-plugin-teach-me-widget (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (a8892d058e7f10e304a86eea230ef7fa8fbf9a76da1d09b60f5498305690d4bc)\nThe package wm-plugin-teach-me-widget was found to contain malicious code.\n\n## Source: ossf-package-analysis (ebd46f9bf707420f68f24a52ca7bb9e517929d8e545802374dcb09697c8df410)\nThe OpenSSF Package Analysis project identified 'wm-plugin-teach-me-widget' @ 21.0.31 (npm) as malicious.\n\nIt is considered malicious because:\n\n- The package communicates with a domain associated with malicious activity.\n","modified":"2026-04-30T23:06:56.685363Z","published":"2026-04-28T10:21:02Z","database_specific":{"malicious-packages-origins":[{"modified_time":"2026-04-28T10:21:02Z","import_time":"2026-04-28T11:13:50.147069477Z","versions":["21.0.31"],"sha256":"ebd46f9bf707420f68f24a52ca7bb9e517929d8e545802374dcb09697c8df410","source":"ossf-package-analysis"},{"modified_time":"2026-04-30T21:59:18Z","import_time":"2026-04-30T22:23:10.873947487Z","versions":["21.0.31"],"sha256":"a8892d058e7f10e304a86eea230ef7fa8fbf9a76da1d09b60f5498305690d4bc","source":"amazon-inspector"}]},"affected":[{"package":{"name":"wm-plugin-teach-me-widget","ecosystem":"npm","purl":"pkg:npm/wm-plugin-teach-me-widget"},"versions":["21.0.31"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/wm-plugin-teach-me-widget/MAL-2026-3128.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"},{"name":"OpenSSF: Package Analysis","contact":["https://github.com/ossf/package-analysis","https://openssf.slack.com/channels/package_analysis"],"type":"FINDER"}]}