darakian
commented
1 week ago Hey @laurie71, these are legitimate advisories which were generated as part of a malware take down done by the npm team. The advisories are specifically about the packages on npmjs.com ex. https://www.npmjs.com/package/appdynamics-libagent-napi
And I would guess that your build system is using a private package registry for packages of the same name. If you do some searching you'll find similar issues others have opened in this repo ex. https://github.com/github/advisory-database/issues/3487 https://github.com/github/advisory-database/issues/4697 https://github.com/github/advisory-database/issues/2492
tl;dr is that npm audit is confusing where packages come from. I opened an issue with npm some time back to try and get this addressed in default behavior for npm audit, but alas no movement there See: https://github.com/npm/rfcs/issues/739
So, you can reach out to npm support about these advisories, but the packages on npmjs.com were almost certainly malware and having advisories about them is beneficial for anyone who may have downloaded those packages. Sorry, I can't give you a more satisfying answer, but I hope that helps at least 😃
laurie71
There are three malware reports against packages published by AppDynamics:
I work for AppDynamics (a Cisco, Inc business unit) and am the lead engineer for the product these packages are a part of. These packages are not malware, do not contain malware, and do not have any vulnerabilities listed by
npm audit. I believe the malware reports against them are, at best, erroneous and, at worst, malicious.Unfortunately the advisories linked above contain no specifics that we can address. What is the process for refuting these advisories and getting them removed?