{"id":"MAL-2026-7314","summary":"Malicious code in logfuse (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (259fc8b205e41dea32af006c7eaa325f0d1cca2421c668b778b8d2559d8ec900)\nThe package was found to contain malicious code or consuming dependency that contains malicious code\n","modified":"2026-07-09T22:17:02.329326975Z","published":"2026-07-07T12:57:52Z","database_specific":{"malicious-packages-origins":[{"versions":["2.1.6"],"source":"reversing-labs","id":"RLMA-2026-05145","modified_time":"2026-07-07T12:57:52Z","import_time":"2026-07-09T09:16:37.47455641Z","sha256":"389e75ed90c0c82ffc717d29b97dd7b368dc458cdfa0005440be404baef1c971"},{"id":"IN-MAL-2026-009409","source":"amazon-inspector","versions":["2.1.6"],"modified_time":"2026-07-09T21:51:42Z","import_time":"2026-07-09T22:02:28.375640612Z","sha256":"259fc8b205e41dea32af006c7eaa325f0d1cca2421c668b778b8d2559d8ec900"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/logfuse/v/2.1.6"}],"affected":[{"package":{"name":"logfuse","ecosystem":"npm","purl":"pkg:npm/logfuse"},"versions":["2.1.6"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/logfuse/MAL-2026-7314.json","indicators":{"package_integrity":[{"hashes":{"sha512_sri":"sha512-E1wgtNiNzkM4RuXbanyYHeqj5wRt+ucOvh04rfFXg/OzEfnSuE1XSQAU/sac5I/bdvzfcuRgESQmDlZCScZ4aA==","sha1":"21a87867a46990d32eaa4ac3e15da5ef03a843f7"},"filename":"logfuse-2.1.6.tgz"}]},"cwes":[{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"},{"name":"ReversingLabs","contact":["https://www.reversinglabs.com"],"type":"FINDER"}]}