mal-2026-1420
Vulnerability from ossf_malicious_packages
Published
2026-03-13 15:38
Modified
2026-03-13 18:49
Summary
Malicious code in cw-isdk (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: ossf-package-analysis (a4ddcc5674d5c16f194910e57e000058bf09ed62fc7d55c77e5df1eb8f83fd92)

The OpenSSF Package Analysis project identified 'cw-isdk' @ 20.0.0 (npm) as malicious.

It is considered malicious because:

  • The package communicates with a domain associated with malicious activity.

  • The package executes one or more commands associated with malicious behavior.

Credits
OpenSSF: Package Analysis github.com/ossf/package-analysis openssf.slack.com/channels/package_analysis
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "cw-isdk"
      },
      "versions": [
        "20.0.0",
        "22.0.0",
        "26.0.0",
        "34.0.0",
        "31.0.0",
        "33.0.0",
        "25.0.0",
        "32.0.0",
        "37.0.0",
        "39.0.0",
        "38.0.0",
        "40.0.7",
        "40.0.9",
        "1.0.0",
        "40.0.8",
        "40.1.0"
      ]
    }
  ],
  "credits": [
    {
      "contact": [
        "https://github.com/ossf/package-analysis",
        "https://openssf.slack.com/channels/package_analysis"
      ],
      "name": "OpenSSF: Package Analysis",
      "type": "FINDER"
    }
  ],
  "database_specific": {
    "malicious-packages-origins": [
      {
        "import_time": "2026-03-13T15:47:44.731041208Z",
        "modified_time": "2026-03-13T15:38:25Z",
        "sha256": "a4ddcc5674d5c16f194910e57e000058bf09ed62fc7d55c77e5df1eb8f83fd92",
        "source": "ossf-package-analysis",
        "versions": [
          "20.0.0"
        ]
      },
      {
        "import_time": "2026-03-13T16:15:16.986882897Z",
        "modified_time": "2026-03-13T15:50:42Z",
        "sha256": "d24aa2de1a9c568893245ad4db43225e926678014e8e8e449c5a1124ff16a533",
        "source": "ossf-package-analysis",
        "versions": [
          "22.0.0"
        ]
      },
      {
        "import_time": "2026-03-13T16:15:17.133384852Z",
        "modified_time": "2026-03-13T16:11:12Z",
        "sha256": "faf17028795f038f1d2dc298ec9862ff83144b538f4cc137eb159f1d3b439533",
        "source": "ossf-package-analysis",
        "versions": [
          "26.0.0"
        ]
      },
      {
        "import_time": "2026-03-13T16:47:42.721643361Z",
        "modified_time": "2026-03-13T16:45:40Z",
        "sha256": "c11546602f59c7a53394ba1379bbec5436cad4125bc4d38053ec354d685cf2ae",
        "source": "ossf-package-analysis",
        "versions": [
          "34.0.0"
        ]
      },
      {
        "import_time": "2026-03-13T16:47:42.394322813Z",
        "modified_time": "2026-03-13T16:30:56Z",
        "sha256": "c40d289372b701bbc83af5302246ca9628e1c850ca415e7b4094cdcf3e765c49",
        "source": "ossf-package-analysis",
        "versions": [
          "31.0.0"
        ]
      },
      {
        "import_time": "2026-03-13T16:47:42.61404152Z",
        "modified_time": "2026-03-13T16:40:31Z",
        "sha256": "c4a4dfa8d0475e93d21d819cfe8cb6989303bb457e7dea11f5b6dae4cddcedca",
        "source": "ossf-package-analysis",
        "versions": [
          "33.0.0"
        ]
      },
      {
        "import_time": "2026-03-13T16:47:42.299216865Z",
        "modified_time": "2026-03-13T16:15:57Z",
        "sha256": "1ba54a67d63db10a40bc903c5f0a249e7ff3dc1f7da70b93fc10492e6db07b76",
        "source": "ossf-package-analysis",
        "versions": [
          "25.0.0"
        ]
      },
      {
        "import_time": "2026-03-13T16:47:42.480012868Z",
        "modified_time": "2026-03-13T16:35:54Z",
        "sha256": "31acfd7f47028b23155766119c87fdadd94352e9a52a048e0283df75aee57bd4",
        "source": "ossf-package-analysis",
        "versions": [
          "32.0.0"
        ]
      },
      {
        "import_time": "2026-03-13T17:16:11.200137244Z",
        "modified_time": "2026-03-13T17:08:12Z",
        "sha256": "4fd1bdb6bd8a8c7439fa5a5c89173c8186c9d7815ebe7acb15b3b18ecc12aaa4",
        "source": "ossf-package-analysis",
        "versions": [
          "37.0.0"
        ]
      },
      {
        "import_time": "2026-03-13T17:46:32.410424609Z",
        "modified_time": "2026-03-13T17:32:49Z",
        "sha256": "298be3a18defb650677d42d53a4fd7722d962b0122d69fe859e8a4af9b3d97de",
        "source": "ossf-package-analysis",
        "versions": [
          "39.0.0"
        ]
      },
      {
        "import_time": "2026-03-13T17:46:32.227896235Z",
        "modified_time": "2026-03-13T17:17:52Z",
        "sha256": "4c1deb7a212801b93ff3fb412afdbff2eb8bcf09a78698cb818d8f453da8c0e8",
        "source": "ossf-package-analysis",
        "versions": [
          "38.0.0"
        ]
      },
      {
        "import_time": "2026-03-13T18:15:25.994018808Z",
        "modified_time": "2026-03-13T18:01:27Z",
        "sha256": "154bc99f76863cca23e8a1e9f9026bdcb538bb41af241bf19ec3afd83f143ec0",
        "source": "ossf-package-analysis",
        "versions": [
          "40.0.7"
        ]
      },
      {
        "import_time": "2026-03-13T18:15:26.132168826Z",
        "modified_time": "2026-03-13T18:11:23Z",
        "sha256": "1ae245e63ec6751889d06ed963acaea982062cbb0011c9d9f53bd22d41e9c9fc",
        "source": "ossf-package-analysis",
        "versions": [
          "40.0.9"
        ]
      },
      {
        "import_time": "2026-03-13T18:47:41.563009348Z",
        "modified_time": "2026-03-13T18:17:53Z",
        "sha256": "39ea54f67f60caa500c1642ef0370787b0c68c9cc6acd986422dafe7ee9d1e97",
        "source": "ossf-package-analysis",
        "versions": [
          "1.0.0"
        ]
      },
      {
        "import_time": "2026-03-13T18:47:41.47430846Z",
        "modified_time": "2026-03-13T18:15:51Z",
        "sha256": "842d3c24c48c6e13de6c2af099c5246541ad5fb9cc163cb307f0e734d73bd8f4",
        "source": "ossf-package-analysis",
        "versions": [
          "40.0.8"
        ]
      },
      {
        "import_time": "2026-03-13T18:47:41.639149733Z",
        "modified_time": "2026-03-13T18:20:15Z",
        "sha256": "92f81e73389cac9ce1946b4ceeac65323b06865a373a0a1b9d7d5be14ff5cc06",
        "source": "ossf-package-analysis",
        "versions": [
          "40.1.0"
        ]
      }
    ]
  },
  "details": "\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: ossf-package-analysis (a4ddcc5674d5c16f194910e57e000058bf09ed62fc7d55c77e5df1eb8f83fd92)\nThe OpenSSF Package Analysis project identified \u0027cw-isdk\u0027 @ 20.0.0 (npm) as malicious.\n\nIt is considered malicious because:\n\n- The package communicates with a domain associated with malicious activity.\n\n- The package executes one or more commands associated with malicious behavior.\n",
  "id": "MAL-2026-1420",
  "modified": "2026-03-13T18:49:49Z",
  "published": "2026-03-13T15:38:25Z",
  "schema_version": "1.7.4",
  "summary": "Malicious code in cw-isdk (npm)"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.