{"id":"MAL-2026-3302","summary":"Malicious code in ally-starter-api (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (ac9875cbfe312bac49b96d321664e13d98ff6214d38db1d0b3339500a83204cc)\nThe package ally-starter-api was found to contain malicious code.\n\n## Source: ossf-package-analysis (5479f46a56fc6576f3486d501685cddf5fe063c0acace5fbd2706cab928cde7d)\nThe OpenSSF Package Analysis project identified 'ally-starter-api' @ 99.99.99 (npm) as malicious.\n\nIt is considered malicious because:\n\n- The package executes one or more commands associated with malicious behavior.\n","modified":"2026-05-12T07:55:39.702563Z","published":"2026-05-03T12:19:19Z","database_specific":{"malicious-packages-origins":[{"versions":["99.99.99"],"modified_time":"2026-05-03T12:19:19Z","source":"ossf-package-analysis","sha256":"5479f46a56fc6576f3486d501685cddf5fe063c0acace5fbd2706cab928cde7d","import_time":"2026-05-04T03:13:21.516741406Z"},{"versions":["100.0.0"],"modified_time":"2026-05-04T13:20:39Z","source":"ossf-package-analysis","sha256":"a12774becabc70e08211c6dc4b002e89e4385de1adae71a6bc7f3d117851afe9","import_time":"2026-05-04T23:49:24.812129938Z"},{"versions":["99.99.99","100.0.0"],"modified_time":"2026-05-12T06:53:21Z","source":"amazon-inspector","sha256":"ac9875cbfe312bac49b96d321664e13d98ff6214d38db1d0b3339500a83204cc","import_time":"2026-05-12T07:28:55.317908443Z"}]},"affected":[{"package":{"name":"ally-starter-api","ecosystem":"npm","purl":"pkg:npm/ally-starter-api"},"versions":["99.99.99","100.0.0"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ally-starter-api/MAL-2026-3302.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"},{"name":"OpenSSF: Package Analysis","contact":["https://github.com/ossf/package-analysis","https://openssf.slack.com/channels/package_analysis"],"type":"FINDER"}]}