{"schema_version":"1.7.3","id":"MAL-2025-190623","published":"2025-11-24T03:18:56Z","modified":"2025-11-24T16:41:26Z","summary":"Malicious code in cbre-flow-common (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (947d73050012f020f6fdd2335ac7c8602c707fb84fb141fbfdd1e88a30ca3650)\nThe package cbre-flow-common was found to contain malicious code.\n\n## Source: ossf-package-analysis (290794fdf2d824752e5692d82ab151f152efdfe7b0dff98884e70804bad56c1f)\nThe OpenSSF Package Analysis project identified 'cbre-flow-common' @ 99.4.0 (npm) as malicious.\n\nIt is considered malicious because:\n\n- The package communicates with a domain associated with malicious activity.\n\n- The package executes one or more commands associated with malicious behavior.\n","affected":[{"package":{"name":"cbre-flow-common","ecosystem":"npm","purl":"pkg:npm/cbre-flow-common"},"versions":["99.4.0","99.5.0","99.6.0","99.3.0"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/cbre-flow-common/MAL-2025-190623.json"}}],"database_specific":{"malicious-packages-origins":[{"import_time":"2025-11-24T03:34:16.437749831Z","modified_time":"2025-11-24T03:18:56Z","sha256":"290794fdf2d824752e5692d82ab151f152efdfe7b0dff98884e70804bad56c1f","source":"ossf-package-analysis","versions":["99.4.0"]},{"import_time":"2025-11-24T03:34:16.571286101Z","modified_time":"2025-11-24T03:25:32Z","sha256":"f1fe4e26e8e87a50082f4c1b49f93e1e99188441816cb218a0e7e793c3215d65","source":"ossf-package-analysis","versions":["99.5.0"]},{"import_time":"2025-11-24T04:16:30.382974075Z","modified_time":"2025-11-24T03:35:19Z","sha256":"bfc0afd4d836bce6c1e73342e6d23da05365c7460079761a2b8ff91d18461d39","source":"ossf-package-analysis","versions":["99.6.0"]},{"import_time":"2025-11-24T16:07:38.699644283Z","modified_time":"2025-11-24T15:54:02Z","sha256":"947d73050012f020f6fdd2335ac7c8602c707fb84fb141fbfdd1e88a30ca3650","source":"amazon-inspector","versions":["99.4.0","99.5.0","99.6.0"]},{"import_time":"2025-11-24T16:39:33.059720429Z","modified_time":"2025-11-24T16:19:35Z","sha256":"f44f7c6e3f1cbe2b6ce922f05789bc7751af9f55472bdf8fee16becd92e8213b","source":"amazon-inspector","versions":["99.3.0"]}]},"credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"},{"name":"OpenSSF: Package Analysis","contact":["https://github.com/ossf/package-analysis","https://openssf.slack.com/channels/package_analysis"],"type":"FINDER"}]}