Skip to content

Add malicious npm package dependency_confusions#1359

Open
tolgaergin wants to merge 2 commits into
ossf:mainfrom
tolgaergin:codex/add-dependency-confusions-malware
Open

Add malicious npm package dependency_confusions#1359
tolgaergin wants to merge 2 commits into
ossf:mainfrom
tolgaergin:codex/add-dependency-confusions-malware

Conversation

@tolgaergin

Copy link
Copy Markdown
Contributor

Adds a malicious-package OSV report for dependency_confusions@99.9.9.

Source report: https://firewall.lpm.dev/npm/dependency_confusions/v/99.9.9

Evidence summary:

  • Published on npm at 2026-07-08T09:44:07.995Z.
  • package.json sets index.js as the package main entrypoint and defines postinstall: node index.js.
  • During install, index.js builds a JSON payload containing os.userInfo().username, process.env.INIT_CWD || process.cwd(), os.hostname(), first non-internal local IPv4 from os.networkInterfaces(), os.platform(), and an install timestamp.
  • index.js sends that payload via https.request to https://webhook.site/264e1903-28ea-48ea-8c55-be58c5a76791.
  • LPM Firewall classified the package as malicious/block with low false-positive risk.

Local checks:

  • jq parse check passed.
  • Lightweight local advisory checks passed.
  • The unpkg source references returned 200.
  • Could not run make validate locally because Go is not installed on this machine; GitHub Actions should run the official OpenSSF validator.

Signed-off-by: Tolga Ergin <tolgaergin@gmail.com>
"type": "PACKAGE",
"url": "https://www.npmjs.com/package/dependency_confusions/v/99.9.9"
},
{

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit, here and below: too many unnecessary references

@tolgaergin

Copy link
Copy Markdown
Contributor Author

Updated — I trimmed the extra references and kept only the npm package page plus the LPM report link.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants