{"id":"MAL-2026-3404","summary":"Malicious code in @matjp/dvi-decode (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (285904d13f5d698c3c33461fe969265ca73c3041db80eabe5637c1ebd3f3ca9b)\nThe package @matjp/dvi-decode was found to contain malicious code.\n\n## Source: ossf-package-analysis (b308cd4e6d4c434c8a74fa1c1a14f354498072da7c7d3e7ab790766b11828a17)\nThe OpenSSF Package Analysis project identified '@matjp/dvi-decode' @ 0.4.101 (npm) as malicious.\n\nIt is considered malicious because:\n\n- The package communicates with a domain associated with malicious activity.\n","modified":"2026-05-12T07:53:03.377546Z","published":"2026-05-09T17:45:35Z","database_specific":{"malicious-packages-origins":[{"source":"ossf-package-analysis","sha256":"b308cd4e6d4c434c8a74fa1c1a14f354498072da7c7d3e7ab790766b11828a17","import_time":"2026-05-09T17:48:50.005354292Z","versions":["0.4.101"],"modified_time":"2026-05-09T17:45:35Z"},{"source":"amazon-inspector","sha256":"285904d13f5d698c3c33461fe969265ca73c3041db80eabe5637c1ebd3f3ca9b","import_time":"2026-05-12T07:28:54.545580878Z","versions":["0.4.101"],"modified_time":"2026-05-12T06:53:21Z"}]},"affected":[{"package":{"name":"@matjp/dvi-decode","ecosystem":"npm","purl":"pkg:npm/%40matjp/dvi-decode"},"versions":["0.4.101"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@matjp/dvi-decode/MAL-2026-3404.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"},{"name":"OpenSSF: Package Analysis","contact":["https://github.com/ossf/package-analysis","https://openssf.slack.com/channels/package_analysis"],"type":"FINDER"}]}