You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Are causing false positives against some of our legitimate internal packages.
Semrush is the rightful owner of the following NPM scopes:
amber-team
avocado-team
berush
billing-info
clickhouse-team
create-project-container
crimson-team
frozen-team
frozen-team-qa
frozen-ui
funnel-analysis
ginger-dev
ginger-team
light-widgets
lion-team
local-unit
market-explorer
marketing-tech
metrics-service
my-reports
notification-center
paysol-widgets
protos-team
ruby-team
sellerly
sellerly-kit
semdash-kit
sempay
seoquake
silver-team
siteaudit
subscription-info
ta-team
tiger-team
universal-search
vue-semcore
white-team
wire-team
And none of the packages within those scopes are malicious.
Background
The packages within the listed scopes are legitimate private dependencies. They are distributed exclusively through our internal repository, not via NPM.
To proactively guard against potential dependency confusion attacks, we registered these scopes on the public NPM registry. This was achieved by using a script to add placeholder, or dummy, packages to those scopes.
The placeholder looked like this one, but we don’t know why those packages were marked as malicious by "Amazon Inspector - FINDER".
Issue
Security tools that consume the OpenSSF malicious packages dataset via OSV (for example, Wiz) are flagging our legitimate internal package based solely on the package name & scope, despite:
Our packages being private and never distributed via NPM.
Only the third-party NPM publication being marked malicious.
Request
We request the removal of the OpenSSF entries corresponding to the malicious packages within the scopes listed in the summary.
Evidence of ownership
What is an acceptable way to prove that we own them?
Impact
Retaining the entries is causing ongoing false positives against many legitimate private packages that will never be published to NPM.
Hi, Marc from Semrush here.
Summary
The following OpenSSF malicious packages entries:
Are causing false positives against some of our legitimate internal packages.
Semrush is the rightful owner of the following NPM scopes:
And none of the packages within those scopes are malicious.
Background
The packages within the listed scopes are legitimate private dependencies. They are distributed exclusively through our internal repository, not via NPM.
To proactively guard against potential dependency confusion attacks, we registered these scopes on the public NPM registry. This was achieved by using a script to add placeholder, or dummy, packages to those scopes.
The placeholder looked like this one, but we don’t know why those packages were marked as malicious by "Amazon Inspector - FINDER".
Issue
Security tools that consume the OpenSSF malicious packages dataset via OSV (for example, Wiz) are flagging our legitimate internal package based solely on the package name & scope, despite:
Request
We request the removal of the OpenSSF entries corresponding to the malicious packages within the scopes listed in the summary.
Evidence of ownership
What is an acceptable way to prove that we own them?
Impact
Retaining the entries is causing ongoing false positives against many legitimate private packages that will never be published to NPM.