{"id":"MAL-2026-3412","summary":"Malicious code in post-purchase-bundler (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (3a33aa69ef958573a786f3db208d8ee335829e14009d1fdafecbc842ed493b8b)\nThe package post-purchase-bundler was found to contain malicious code.\n\n## Source: ossf-package-analysis (6ee91ffff812d05531df7ad59d39eb10a0db8bf0ed97263701d772f4a5429e60)\nThe OpenSSF Package Analysis project identified 'post-purchase-bundler' @ 99.9.25 (npm) as malicious.\n\nIt is considered malicious because:\n\n- The package communicates with a domain associated with malicious activity.\n","modified":"2026-05-12T07:57:51.976605Z","published":"2026-05-10T10:00:29Z","database_specific":{"malicious-packages-origins":[{"sha256":"e9f3292f2f19840d6a3685add8754353fcf47bd9240b53ab5552b6a716254e7a","modified_time":"2026-05-10T10:00:29Z","versions":["99.9.9"],"source":"ossf-package-analysis","import_time":"2026-05-10T10:34:44.116201041Z"},{"sha256":"6ee91ffff812d05531df7ad59d39eb10a0db8bf0ed97263701d772f4a5429e60","modified_time":"2026-05-10T12:46:14Z","versions":["99.9.25"],"source":"ossf-package-analysis","import_time":"2026-05-10T12:50:36.06548091Z"},{"sha256":"3a33aa69ef958573a786f3db208d8ee335829e14009d1fdafecbc842ed493b8b","modified_time":"2026-05-12T06:53:21Z","versions":["99.9.9","99.9.25"],"source":"amazon-inspector","import_time":"2026-05-12T07:28:49.308581483Z"}]},"affected":[{"package":{"name":"post-purchase-bundler","ecosystem":"npm","purl":"pkg:npm/post-purchase-bundler"},"versions":["99.9.9","99.9.25"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/post-purchase-bundler/MAL-2026-3412.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"},{"name":"OpenSSF: Package Analysis","contact":["https://github.com/ossf/package-analysis","https://openssf.slack.com/channels/package_analysis"],"type":"FINDER"}]}