advisory-database icon indicating copy to clipboard operation
advisory-database copied to clipboard
verified publisher icon github

False Positive: CWE-506 Flag on Project Packages

Open Sina-KH opened this issue 8 months ago • 2 comments

Hello,

We’ve noticed that three of our project libraries have been flagged under CWE-506: Embedded Malicious Code in the GitHub security advisories. After reviewing the codebase and package history, we believe this is a false positive.

There is no obfuscation, suspicious behavior, or embedded malicious code present in these packages. We suspect this flag may have been triggered erroneously—possibly due to a misinterpretation of certain implementation patterns or dependencies.

Reports:

https://github.com/advisories/GHSA-ccc7-4x7f-rx8r https://github.com/advisories/GHSA-59c9-98cx-68fw https://github.com/advisories/GHSA-xw5j-qjmv-9fjx

We kindly request a review of these advisories, and we’re happy to provide any clarifications or code details needed to assist in resolving this matter.

Thanks in advance for your attention and support!

Sina-KH avatar Apr 23 '25 22:04 Sina-KH

Hi @Sina-KH, if you haven't done so already, contact https://www.npmjs.com/support to initiate a namespace claim and let npm support know that you haven't found evidence of malicious activity in mtw-capacitor-usb-hid, native-bottom-sheet, or eslint-config-mytonwallet. Thanks for reaching out and have a great week!

shelbyc avatar Apr 24 '25 16:04 shelbyc

@Sina-KH Can you maybe summarize your experience with NPMjs? This kind of alerts seem to get more common and it would be good to know that at least NPMjs cares.

ecki avatar Jul 23 '25 12:07 ecki