GHSA-664p-x4cc-9q9w Malware found in Repo. CWE-506

[larsts2]

Hi there,

in our privat github org we've received a couple of malware warnings.
I'm responsible for one of the repos that got flagged with a CWE-506 Weakness. It only says The product contains code that appears to be malicious in nature. There is no specific line of the supposedly malicious code being provided.
An npm audit does not suggest any fixes nor have I implemented anything into the repo in the lasts months. The last package was published 3 months ago.

Any advice on how to proceed here? Thanks in advance!

---

update:

these are two additional incidents we found in our organisation.
GHSA-jrfr-qx3j-84p5
GHSA-2h9r-w2r5-m764

As it turns out, contrary to my first message here, we were indeed target of a supply chain attack.

https://socket.dev/npm/package/@oneaudi/unified-web-common/diff/1.6.8 check out the socket.dev link. We've never actually published those packages.

somebody published the malicious package which is within our private org into the public npm registry.

How do we proceed from here, can the Advisory against our private org package be removed again?

[shelbyc]

Hi @larsts2, my team can change any malware advisories such as GHSA-jrfr-qx3j-84p5 and GHSA-2h9r-w2r5-m764 to only list versions that were taken down as part of a response to recent supply chain attacks. For any other assistance, you or your colleagues will need to contact https://www.npmjs.com/support.

[larsts2]

Hey @shelbyc thanks for your response. I would like to reach out to the npm support. But the package that caused the problem does no longer exist in the public npm registry.

So the problem I see is, that the packages that were taken down are still being flagged in our npm audit. But we don't even use those packages, right? We're only using the ones with the same name in our private npm registry.

Why can't you take down the Advisory against GHSA-664p-x4cc-9q9w but you can for the other two? It was the same issue, wasn't it? Or can you?

Thanks in advance

[shelbyc]

@larsts2 Sorry about not responding more clearly in my previous response! I changed the following advisories to limit the affected version ranges:

• GHSA-664p-x4cc-9q9w
• GHSA-jrfr-qx3j-84p5
• GHSA-2h9r-w2r5-m764

I also asked my teammates about the problem you're dealing with and got some more information.

You are likely receiving the associated npm audit alerts because a malicious package with the same name as one used in your private organization was published to the public npm registry, meaning you may be susceptible to dependency confusion and substitution. A dependency confusion attack occurs when an attacker publishes a package to a public registry (like npm) using the same name as a package used internally in a private organization. If your build or deployment process inadvertently pulls from the public registry instead of your private one, you could end up installing the attacker's malicious package. The advisory does not mean your private package or codebase is compromised, it only indicates that your package name was targeted.

• If your project only consumes the package from your private registry: No immediate action is required. You should not be affected by the malicious public package.
• If there's any risk your workflow could fetch from the public registry: Review your dependency configuration to ensure that only your private registry is used for this package name. The alert is relevant because it's possible for organizations to be vulnerable to this attack if registry configurations are not strictly enforced.

Dependency confusion is relevant because it exploits naming collisions between private and public registries, potentially tricking systems into installing malicious packages. npm alerts you when such a risk is present, even if your current setup is safe, to ensure you are aware of the attack vector and can verify your configurations.

Can the advisory against your private org package be removed?

Currently, advisories in the GitHub Advisory Database are tied to events in the public ecosystem (npm registry), not your private organization's packages. While the advisory will remain in the database for transparency and supply chain awareness, it may not indicate a vulnerability in your private package.

I hope this information helps!

[larsts2]

@shelbyc thank's alot for the clarification!