Malware detected in dependabot core image by AWS Inspector #11766
Labels
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
{{ message }}
Is there an existing issue for this?
Package ecosystem
npm
Package manager version
all
Language version
Node.js
Manifest location and content before the Dependabot update
🐞 Bug report
AWS Inspector is flagging malware in all of the dependabot-core images. This means we are unable to use the npm variant. The node version I want to support with this image is 14.21.x 20.x and 22.x. Can we remove these malicious packages from the images? Anyone else trying to run the images in a cloud environment with container image scanning will encounter the same issues. I am happy to provide any additional material
Here are the findings from inspector.
Finding 1: MAL-2022-2944 (extraneous-detected)
arn:aws:inspector2:eu-west-1:[REDACTED]:finding/9151963e624829556c00a0cc75bff549/opt/npm_and_yarn/node_modules/npm/node_modules/read-installed/test551f7ee3-20250307-1039[REDACTED]Finding 2: MAL-2022-2945 (extraneous-dev-dep)
/opt/npm_and_yarn/node_modules/npm/node_modules/read-installed/test/fixtures/extraneous-dev-dep/package.json[REDACTED]551f7ee3-20250307-1039Finding 3: MAL-2022-6485 (test-old-npm-sub-dependency)
0:github:dependabot-fixtures/test-old-npm-sub-dependency#3022e23aa7dac4d/home/dependabot/npm8/nested_sub_dependency_update_npm_out_of_range/packages/package4/package-lock.json (+2 more)[REDACTED]551f7ee3-20250307-1039Finding 4: MAL-2023-462 (fsevents)
/home/dependabot/npm_and_yarn/spec/fixtures/projects/npm6/os/package-lock.json,/home/dependabot/npm_and_yarn/node_modules/npm/package-lock.json[REDACTED]551f7ee3-20250307-1039In addition, these paths have also been flagged.
/opt/npm_and_yarn/node_modules/npm/node_modules/read-installed/test/fixtures/extraneous-detected/package.json/opt/npm_and_yarn/node_modules/npm/node_modules/read-installed/test/fixtures/extraneous-detected//opt/npm_and_yarn/node_modules/npm/node_modules/read-installed/test//home/dependabot/npm_and_yarn/spec/fixtures/projects/npm6/os_mismatch/package-lock.json/home/dependabot/npm_and_yarn/spec/fixtures/projects/npm8/os_mismatch/package-lock.json/home/dependabot/npm_and_yarn/spec/fixtures/projects/npm6/os_mismatch/package-lock.json/home/dependabot/npm_and_yarn/spec/fixtures/projects/npm8/os_mismatch/package-lock.json/home/dependabot/npm_and_yarn/spec/fixtures/projects/npm8/subdependency_update_tab_indentation//home/dependabot/npm_and_yarn/spec/fixtures/projects/npm6/subdependency_update_tab_indentation/package-lock.json/home/dependabot/npm_and_yarn/spec/fixtures/updated_projects/npm6/subdependency_update_tab_indentation/package-lock.json/home/dependabot/npm_and_yarn/spec/fixtures/projects/npm6_and_yarn/nested_sub_dependency_update_npm_out_of_range/packages/package4/package-lock.json/home/dependabot/npm_and_yarn/spec/fixtures/projects/npm8/subdependency_update_tab_indentation//home/dependabot/npm_and_yarn/spec/fixtures/updated_projects/npm8/subdependency_update_tab_indentation//home/dependabot/npm_and_yarn/spec/fixtures/projects/npm8/subdependency_update_tab_indentation//opt/npm_and_yarn/node_modules/npm/node_modules/read-installed/test/fixtures/extraneous-dev-dep/package.json/opt/npm_and_yarn/node_modules/npm/node_modules//opt/npm_and_yarn/node_modules/npm/node_modules/read-installed/test/fixtures//opt/npm_and_yarn/node_modules/npm/package-lock.json/opt/npm_and_yarn/node_modules/Package ecosystem
npm
dependabot.yml content
No response
Updated dependency
No response
What you expected to see, versus what you actually saw
Shouldn not see any malware detected in my inspector scan report
Native package manager behavior
No response
Images of the diff or a link to the PR, issue, or logs
No response
Smallest manifest that reproduces the issue
No response
The text was updated successfully, but these errors were encountered: