Reverse incorrectly created malicious entry for package React.

ossf / malicious-packages

A repository of reports of malicious packages identified in Open Source package repositories, consumable via the Open Source Vulnerability (OSV) format.

Apache License 2.0

205 stars 19 forks source link

Reverse incorrectly created malicious entry for package React. #554

Closed lujunsan closed 1 week ago

lujunsan commented 1 week ago

The malicious package is @zettle-bo/react instead, which was already published as of 2023-09-21T01:41:32Z.

Not sure what the correct procedure is here, please advise.

This has happened to multiple packages, the NPM scope is not being taken into account as it is flagging the real, non-malicious packages as malicious.

calebbrown commented 1 week ago

Created #555 to track this issue.

calebbrown commented 1 week ago

For this report specifically, it should be marked as withdrawn.

This involves moving it to the correct osv/withdrawn/ location and adding the "withdrawn" time to the OSV.

calebbrown commented 1 week ago

This is now fixed in PR #559.

See https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/react/MAL-2024-2929.json