OpenSSF flags npm compass-e2e-tests as malicious
TL;DR — Remove [email protected] from all environments; OpenSSF Package Analysis flagged it for communicating with a domain associated with malicious activity.
What happened
OpenSSF Package Analysis identified the npm package compass-e2e-tests version 99.0.0 as malicious due to communication with a domain associated with malicious activity.
The suspiciously high version number (99.0.0) is a common pattern in dependency confusion attacks, where attackers publish a high-version package to public registries hoping internal package managers will prefer it over a private package with the same name.
Who is impacted
- Teams that installed
[email protected]in any environment (developer workstations, CI runners, or build containers).
What to do now
- Search dependency manifests and lockfiles for
[email protected]and remove it. - Identify where it was installed/executed and treat affected build environments as potentially compromised.
- Rotate credentials that may have been accessible (CI secrets, npm tokens, cloud keys).
Content is AI-assisted and reviewed by our team, but issues may be missed and best practices evolve rapidly, send corrections to [email protected]. Always consult official documentation and validate key implementation decisions before making design or security choices.