Data Research is continuously updated inside our products. The information in this article is current as of 2024-12-30.
Symptom
Implication of version 1.x of own-keys package is being identified as vulnerable to sonatype-2022-1751 and categorized under 'Malicious Code'.
Customers may be noticing spike in these implications due to being added as a dependency to es-abstract (also maintained by the same author and used by many Github projects) https://www.npmjs.com/package/es-abstract?activeTab=dependents.
Explanation
Sonatype Data research has confirmed that the 99.x
versions of the own-keys
package malicious.
Versions 1.0.0
and1.0.1
released on 12/29/2024 are not malicious.
Sonatype has taken the following actions
- Malicious Versions Update: The specific malicious versions affected have been added to sonatype-2022-1751 vulnerability description.
- Version range adjustment: The implicated version range has been closed to prevent non-malicious versions from being flagged.
Advice
To obtain the latest Sonatype curated security research, please perform a re-scan of your application if the current report is implicating 1.x versions of own-keys package.
In general, consider avoiding the use of any packages which have published implicated malicious versions.