A repository of reports of malicious packages identified in Open Source package repositories, consumable via the Open Source Vulnerability (OSV) format.
The package was published on May 31, 2024 as a squat that included a call to eo6zs9q1nkdd0ph.m.pipedream.net that simply returned an empty 200 response. This was quickly reported to both Pipedream and NPM with both parties responding with a take down on June 4, 2024.
The package download count was negligible, consisting only of our attempts to analyze it.
Package versions flagged in MAL-2024-1398 (1.0.0, 1.1.0) were permanently removed from NPM and a non-malicious package is now in place (1.0.1).
Rationale
Since there was no apparent propagation, actual malicious HTTP responses, and package ownership has been transferred to a valid owner organization, proposing that the OSV be withdrawn.
MAL-2024-1398
Propose that MAL-2024-1398 Malicious code in drata (npm) be withdrawn.
Background
The package was published on May 31, 2024 as a squat that included a call to eo6zs9q1nkdd0ph.m.pipedream.net that simply returned an empty 200 response. This was quickly reported to both Pipedream and NPM with both parties responding with a take down on June 4, 2024.
Rationale
Since there was no apparent propagation, actual malicious HTTP responses, and package ownership has been transferred to a valid owner organization, proposing that the OSV be withdrawn.
Precedent
Thank you