Erroneous malware reports on appdynamics-* packages #5026
Comments
|
Hey @laurie71, these are legitimate advisories which were generated as part of a malware take down done by the npm team. The advisories are specifically about the packages on npmjs.com And I would guess that your build system is using a private package registry for packages of the same name. If you do some searching you'll find similar issues others have opened in this repo tl;dr is that npm audit is confusing where packages come from. I opened an issue with npm some time back to try and get this addressed in default behavior for npm audit, but alas no movement there So, you can reach out to npm support about these advisories, but the packages on npmjs.com were almost certainly malware and having advisories about them is beneficial for anyone who may have downloaded those packages. Sorry, I can't give you a more satisfying answer, but I hope that helps at least 😃 |
|
Ah, that explains it; glad they were taken down. I'll follow up with npm support. |
|
Cool. Well if you're good then I'll close this issue out. Feel free to re-open/reply/whatev too if I can help more 👍 |
There are three malware reports against packages published by AppDynamics:
I work for AppDynamics (a Cisco, Inc business unit) and am the lead engineer for the product these packages are a part of. These packages are not malware, do not contain malware, and do not have any vulnerabilities listed by
npm audit. I believe the malware reports against them are, at best, erroneous and, at worst, malicious.Unfortunately the advisories linked above contain no specifics that we can address. What is the process for refuting these advisories and getting them removed?
The text was updated successfully, but these errors were encountered: