{"id":"MAL-2026-989","summary":"Malicious code in vl-ui-alert (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (e4b178c0c090ebb69682438481586f4d0c78dbcd8938f14ce595469fe3796916)\nThe package vl-ui-alert was found to contain malicious code.\n\n## Source: ossf-package-analysis (8868e8fbbb07e9a4f7f789dc65bb7fece5a4991c916f0e4f6fc54619bf1e0653)\nThe OpenSSF Package Analysis project identified 'vl-ui-alert' @ 99.99.1 (npm) as malicious.\n\nIt is considered malicious because:\n\n- The package executes one or more commands associated with malicious behavior.\n","modified":"2026-03-23T05:02:05.155181Z","published":"2026-02-22T19:59:59Z","database_specific":{"malicious-packages-origins":[{"source":"ossf-package-analysis","modified_time":"2026-02-22T19:59:59Z","import_time":"2026-02-23T03:07:52.410115378Z","versions":["99.99.1"],"sha256":"8868e8fbbb07e9a4f7f789dc65bb7fece5a4991c916f0e4f6fc54619bf1e0653"},{"source":"amazon-inspector","modified_time":"2026-02-23T03:51:30Z","import_time":"2026-02-23T04:19:47.179856849Z","versions":["99.99.1"],"sha256":"e4b178c0c090ebb69682438481586f4d0c78dbcd8938f14ce595469fe3796916"}]},"affected":[{"package":{"name":"vl-ui-alert","ecosystem":"npm","purl":"pkg:npm/vl-ui-alert"},"versions":["99.99.1"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/vl-ui-alert/MAL-2026-989.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"},{"name":"OpenSSF: Package Analysis","contact":["https://github.com/ossf/package-analysis","https://openssf.slack.com/channels/package_analysis"],"type":"FINDER"}]}