malicious-packages icon indicating copy to clipboard operation
malicious-packages copied to clipboard
verified publisher icon ossf

Please remove all captivateiq instacnes

Open radical-izak opened this issue 1 year ago • 4 comments

Please help us remove all captivate instance of npm https://github.com/ossf/malicious-packages/tree/main/osv/malicious/npm/%40captivateiq

all of the listed there were just a test of security purposes, now there are no public captivateiq repos

Please let me know if you need any other information

Thank you

radical-izak avatar Dec 06 '24 17:12 radical-izak

Hi @radical-izak.

We have a policy of not removing reports of malicious packages once they have been added.

We will only adjust the reports to be more specific for the versions they apply to, or withdraw them if they were not pointing to malicious packages.

The repo serves as a history of malicious packages that have been published to open source repositories as both a resource to researchers and organizations trying to protect themselves.

Furthermore, the repo does not attempt to judge a package on the intent of the author, only on the package itself and its behavior. This means that packages from both malicious attackers and security researchers are fair game for inclusion.

I hope that helps explain. If there is a specific problem you are trying to solve other than merely removing them from the repo, I'd be happy to discuss it more.

calebbrown avatar Dec 13 '24 05:12 calebbrown

Thank you Caleb The issues is that some of our customers are reporting these findings and asking us to fix, we cannot fix something that doesnt exist. This is casing confusion

radical-izak avatar Jan 31 '25 18:01 radical-izak

Hi @radical-izak,

MAL- reports are not vulnerabilities that need to be patched, they are reports of malicious packages published on NPM, PyPI, etc.

The @captivateiq reports include explicit versions of the malicious packages that were published to NPM. Any tool trying to match on them, should only match if:

  1. the package was retrieved from NPM
  2. the version of the package matches a version in the report

Without understanding how these packages are being used and distributed, your customers tooling may be assuming these packages are coming from NPM, or they may be more aggressive on the version matching.

I would need more detail on what your customers are doing to encounter these findings to be able to help further.

calebbrown avatar Feb 04 '25 05:02 calebbrown

Thank you Caleb

those NPM packages were published accidentally to NPM side during a security test. Those no longer exist given that those are not real. But one customer and a prospect pointed out to this https://vulert.com/vuln-db/npm--captivateiq-events-174544? and that we needed to path, well these are fictitious, and we dont have a way to remove references from these sites

radical-izak avatar Feb 10 '25 22:02 radical-izak