top of page
perceptive_background_267k.jpg

OSV withdrew 157 OSV malware reports after automated false positives incorrectly flagged trusted npm and PyPI packages, sending bad records into tools that rely…

Published:

27 mei 2026 om 06:02:38

Alert date:

27 mei 2026 om 16:03:27

Source:

socket.dev

Click to open the original link from this advisory

Supply Chain & Dependencies, Security Tools

OSV withdrew 157 malware reports after Amazon Inspector's automated detection system incorrectly flagged legitimate npm and PyPI packages including FastAPI as malicious. The false positives were caused by automated systems misidentifying dependency changes as malicious behavior without proper validation. These bad records propagated through security tools, CI/CD systems, and build pipelines, causing disruption for maintainers and consumers. The incident highlights risks of automated malware detection feeding directly into public vulnerability databases without human verification.

Technical details

OSV withdrew 157 malicious-package reports on May 26 after automated Amazon Inspector detections incorrectly flagged npm and PyPI packages as malware. The false positives were caused by automated malware detection systems that flagged suspicious dependency changes without verifying actual malicious payloads. FastAPI 0.136.3 was flagged for adding an undocumented dependency 'fastar>=0.9.0' to its standard optional dependency group, which was interpreted as a potential dependency-confusion or typosquat attack vector. The automated reports from Amazon Inspector were integrated into OpenSSF's malicious-packages repository in October 2025, creating a path for unvalidated detections to enter public package intelligence databases.

Mitigation steps:

OpenSSF has paused their automation and is taking corrective actions. Organizations using OSV data should review their security scanning tools and CI/CD pipelines for potential false positive impacts. Maintainers should verify that their packages were not incorrectly flagged and communicate with downstream consumers if builds or deployments were affected. Consider implementing validation processes for automated malware detection before publishing to public vulnerability databases.

Affected products:

FastAPI v0.136.3
Strawberry GraphQL
@tanstack/start-storage-context v1.167.4
@nx/key
@ctrl/plex
rdflib
qontract-reconcile
massive
notebook-intelligence
pulumi-vcd
art-template
fastar

Related links:

https://github.com/ossf/malicious-packages/tree/main/osv/withdrawn
https://github.com/ossf/malicious-packages/pull/1276
https://osv.dev/vulnerability/MAL-2026-4750

Related CVE's:

Related threat actors:

IOC's:

MAL-2026-4750, fastar>=0.9.0

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Deze website toont informatie afkomstig van externe bronnen; Perceptive aanvaardt geen verantwoordelijkheid voor de juistheid, volledigheid of actualiteit van deze informatie.

bottom of page