{"id":"MAL-2026-3806","summary":"Malicious code in @citi-icg-158830/elemental-chameleon (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (698e88fd9d64450847d476a41187198acc173deacf9c5484791a4fdb6fbbe969)\nThe package @citi-icg-158830/elemental-chameleon was found to contain malicious code.\n\n## Source: ossf-package-analysis (584d2e027d86f89b78898d46a4aab1a0bd131897750c876c729e2247b1479a40)\nThe OpenSSF Package Analysis project identified '@citi-icg-158830/elemental-chameleon' @ 0.0.0-defensive-callback.1 (npm) as malicious.\n\nIt is considered malicious because:\n\n- The package communicates with a domain associated with malicious activity.\n","modified":"2026-05-19T18:02:15.052804182Z","published":"2026-05-16T19:55:24Z","database_specific":{"malicious-packages-origins":[{"versions":["0.0.0-defensive-callback.1"],"import_time":"2026-05-16T20:20:00.60941279Z","sha256":"584d2e027d86f89b78898d46a4aab1a0bd131897750c876c729e2247b1479a40","modified_time":"2026-05-16T20:05:33Z","source":"ossf-package-analysis"},{"import_time":"2026-05-16T20:20:00.431962221Z","versions":["0.0.0-defensive-callback"],"sha256":"e5553e657a7ec3b5a6461a94d949a78b9bdb8915d8d37c0144d6d6815c209680","modified_time":"2026-05-16T19:55:24Z","source":"ossf-package-analysis"},{"versions":["0.0.0-defensive-callback.1","0.0.0-defensive-callback"],"import_time":"2026-05-19T17:50:10.943505616Z","sha256":"698e88fd9d64450847d476a41187198acc173deacf9c5484791a4fdb6fbbe969","modified_time":"2026-05-19T16:47:48Z","source":"amazon-inspector"}]},"affected":[{"package":{"name":"@citi-icg-158830/elemental-chameleon","ecosystem":"npm","purl":"pkg:npm/%40citi-icg-158830%2Felemental-chameleon"},"versions":["0.0.0-defensive-callback.1","0.0.0-defensive-callback"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@citi-icg-158830/elemental-chameleon/MAL-2026-3806.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"},{"name":"OpenSSF: Package Analysis","contact":["https://github.com/ossf/package-analysis","https://openssf.slack.com/channels/package_analysis"],"type":"FINDER"}]}