{"id":"MAL-2026-48","summary":"Malicious code in shop-state (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (5afad53032ae0acf7c8b481c6f0bd05fc4a1c283de24285d35b19a376cfa1b10)\nThe package shop-state was found to contain malicious code.\n\n## Source: ossf-package-analysis (d58739af4e37d5036dbdce18541280d73164818a82e7d2de5f2b142a52db2a89)\nThe OpenSSF Package Analysis project identified 'shop-state' @ 999.1.0 (npm) as malicious.\n\nIt is considered malicious because:\n\n- The package communicates with a domain associated with malicious activity.\n","modified":"2026-01-08T09:38:40.529835Z","published":"2026-01-05T07:50:44Z","database_specific":{"malicious-packages-origins":[{"versions":["999.1.0"],"source":"ossf-package-analysis","import_time":"2026-01-05T08:10:55.499262583Z","sha256":"d58739af4e37d5036dbdce18541280d73164818a82e7d2de5f2b142a52db2a89","modified_time":"2026-01-05T07:50:44Z"},{"versions":["999.1.0"],"source":"amazon-inspector","import_time":"2026-01-08T09:11:31.91996295Z","sha256":"5afad53032ae0acf7c8b481c6f0bd05fc4a1c283de24285d35b19a376cfa1b10","modified_time":"2026-01-08T09:02:00Z"}]},"affected":[{"package":{"name":"shop-state","ecosystem":"npm","purl":"pkg:npm/shop-state"},"versions":["999.1.0"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/shop-state/MAL-2026-48.json"}}],"schema_version":"1.7.3","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"},{"name":"OpenSSF: Package Analysis","contact":["https://github.com/ossf/package-analysis","https://openssf.slack.com/channels/package_analysis"],"type":"FINDER"}]}