MAL-2026-56

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@crepo/crepo-url-query-mapper/MAL-2026-56.json
JSON Data
https://api.test.osv.dev/v1/vulns/MAL-2026-56
Published
2026-01-05T18:26:09Z
Modified
2026-01-08T09:22:26.654136Z
Summary
Malicious code in @crepo/crepo-url-query-mapper (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (a8556f30a48d0b1c957d0d66394801c28e6259503ed20f4cbf900102b962ee5f)

The package @crepo/crepo-url-query-mapper was found to contain malicious code.

Source: ossf-package-analysis (add65bf82139a3279aa3da202fe92d6d36da30975e56567399ec3eaa82f4f76d)

The OpenSSF Package Analysis project identified '@crepo/crepo-url-query-mapper' @ 11.11.12 (npm) as malicious.

It is considered malicious because:

  • The package communicates with a domain associated with malicious activity.
Database specific 
{
    "malicious-packages-origins": [
        {
            "modified_time": "2026-01-05T18:26:09Z",
            "import_time": "2026-01-05T18:46:54.437165906Z",
            "source": "ossf-package-analysis",
            "sha256": "add65bf82139a3279aa3da202fe92d6d36da30975e56567399ec3eaa82f4f76d",
            "versions": [
                "11.11.12"
            ]
        },
        {
            "modified_time": "2026-01-08T09:02:00Z",
            "import_time": "2026-01-08T09:11:26.09830653Z",
            "source": "amazon-inspector",
            "sha256": "a8556f30a48d0b1c957d0d66394801c28e6259503ed20f4cbf900102b962ee5f",
            "versions": [
                "11.11.12"
            ]
        }
    ]
}
References
Credits

Affected packages

npm / @crepo/crepo-url-query-mapper

Package

Name
@crepo/crepo-url-query-mapper
View open source insights on deps.dev
Purl
pkg:npm/%40crepo/crepo-url-query-mapper

Affected ranges

Affected versions

11.*
11.11.12

Database specific

source 
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@crepo/crepo-url-query-mapper/MAL-2026-56.json"