OpenSSF flags npm package compass-e2e-tests 99.0.0 as malicious

What happened

Vulnerability-Lookup (CIRCL), ingesting OpenSSF Package Analysis results, published an entry marking the npm package compass-e2e-tests version 99.0.0 as malicious on 2026-02-16T19:55:51Z.

OpenSSF Package Analysis cites the reason as: the package "communicates with a domain associated with malicious activity."

Who is impacted

Teams that installed [email protected] in any environment (developer workstations, CI runners, or build containers) are potentially impacted.

What to do now

• Search dependency manifests and lockfiles for [email protected] and remove it.
• Identify where it was installed/executed (CI logs, artifact build logs) and treat affected build environments as potentially compromised.
• Rotate credentials that may have been accessible to those environments (CI secrets, npm tokens, cloud keys) following your incident response process.

Additional Information

• Ecosystem: npm
• Package: compass-e2e-tests
• Malicious version(s) called out by OpenSSF Package Analysis: 99.0.0
• Source attribution in the entry: OpenSSF Package Analysis (finder)