{"schema_version":"1.7.3","id":"MAL-2026-168","published":"2026-01-08T15:40:55Z","modified":"2026-01-15T22:21:59.070138Z","summary":"Malicious code in @zuora-marketing/linting (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (ddcfd1151af868e694a4a79307ce1284331ad88b8ff631651f3fd2c47fbf342a)\nThe package @zuora-marketing/linting was found to contain malicious code.\n\n## Source: ossf-package-analysis (02e59dfc0bb58f27949258caefffd5c13d5c3af111b8c069edf5ea6e0e985f22)\nThe OpenSSF Package Analysis project identified '@zuora-marketing/linting' @ 5.1.0 (npm) as malicious.\n\nIt is considered malicious because:\n\n- The package communicates with a domain associated with malicious activity.\n\n- The package executes one or more commands associated with malicious behavior.\n","affected":[{"package":{"name":"@zuora-marketing/linting","ecosystem":"npm","purl":"pkg:npm/%40zuora-marketing/linting"},"versions":["5.1.0","6.1.1"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@zuora-marketing/linting/MAL-2026-168.json"}}],"database_specific":{"malicious-packages-origins":[{"import_time":"2026-01-08T15:41:30.366112511Z","modified_time":"2026-01-08T15:40:55Z","sha256":"02e59dfc0bb58f27949258caefffd5c13d5c3af111b8c069edf5ea6e0e985f22","source":"ossf-package-analysis","versions":["5.1.0"]},{"import_time":"2026-01-08T18:45:03.309095836Z","modified_time":"2026-01-08T18:27:59Z","sha256":"6ac2fac151a4dc27d6767c679c92664cbd80bdd566ae85b259a46155e73596f3","source":"ossf-package-analysis","versions":["6.1.1"]},{"import_time":"2026-01-15T22:07:42.096674975Z","modified_time":"2026-01-15T21:43:07Z","sha256":"ddcfd1151af868e694a4a79307ce1284331ad88b8ff631651f3fd2c47fbf342a","source":"amazon-inspector","versions":["5.1.0","6.1.1"]}]},"credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"},{"name":"OpenSSF: Package Analysis","contact":["https://github.com/ossf/package-analysis","https://openssf.slack.com/channels/package_analysis"],"type":"FINDER"}]}