MAL-2025-5628

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/consgraphqlnodeserv/MAL-2025-5628.json

JSON Data

https://api.test.osv.dev/v1/vulns/MAL-2025-5628

Published

2025-07-05T07:10:49Z

Modified

2025-07-11T02:21:42Z

Summary

Malicious code in consgraphqlnodeserv (npm)

Details

The package communicates with a domain associated with malicious activity.

-= Per source details. Do not edit below this line.=-

Source: ossf-package-analysis (dc574084c7bec4c108b144a736bfa8091bad6dee3b38dc581d1a8b6c22edd280)

The OpenSSF Package Analysis project identified 'consgraphqlnodeserv' @ 1.0.2 (npm) as malicious.

It is considered malicious because:

The package communicates with a domain associated with malicious activity.

Database specific

{
    "malicious-packages-origins": [
        {
            "versions": [
                "1.0.2"
            ],
            "source": "ossf-package-analysis",
            "sha256": "dc574084c7bec4c108b144a736bfa8091bad6dee3b38dc581d1a8b6c22edd280",
            "modified_time": "2025-07-05T07:31:33Z",
            "import_time": "2025-07-05T07:34:52.465940333Z"
        },
        {
            "versions": [
                "1.0.1"
            ],
            "source": "ossf-package-analysis",
            "sha256": "f1471df3ce9842c06bc0dc72d0fff0c7ecf1db58cf7367843d2dc15ed0d58fb5",
            "modified_time": "2025-07-05T07:10:49Z",
            "import_time": "2025-07-05T07:34:52.299091611Z"
        },
        {
            "versions": [
                "1.0.3"
            ],
            "source": "ossf-package-analysis",
            "sha256": "b6409d737c804bd3df2fa5cc36982ab2098d5e59096cb6c04995ad7fa4345ae5",
            "modified_time": "2025-07-05T07:37:27Z",
            "import_time": "2025-07-05T08:07:08.023684947Z"
        },
        {
            "versions": [
                "1.0.4"
            ],
            "source": "ossf-package-analysis",
            "sha256": "c44a4deeb22f982a9baf33ff9a4c7c64bd68ddd34e79576247a6952cdaf6f5bc",
            "modified_time": "2025-07-05T08:00:43Z",
            "import_time": "2025-07-05T08:07:08.102724461Z"
        },
        {
            "versions": [
                "1.0.5"
            ],
            "source": "ossf-package-analysis",
            "sha256": "8d6025994ece7097c6c6ae60987eb3f8fda85d1f1d378eea497a055194396086",
            "modified_time": "2025-07-05T08:15:24Z",
            "import_time": "2025-07-05T08:39:14.304023388Z"
        },
        {
            "versions": [
                "1.0.6"
            ],
            "source": "ossf-package-analysis",
            "sha256": "69495e47e2881adce16144f32057bbc1516ef818f98f016b939dd4256c5d0546",
            "modified_time": "2025-07-05T12:42:10Z",
            "import_time": "2025-07-05T12:46:48.284421216Z"
        }
    ]
}

References

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com
- OpenSSF: Package Analysis - FINDER
- - https://github.com/ossf/package-analysis
  - https://openssf.slack.com/channels/package_analysis

Affected packages

npm / consgraphqlnodeserv

Package

Name: consgraphqlnodeserv; View open source insights on deps.dev
Purl: pkg:npm/consgraphqlnodeserv

Affected ranges

Type: SEMVER
Events: Introduced

1.0.6

Affected versions

1.*

1.0.1

1.0.2

1.0.3

1.0.4

1.0.5

1.0.6