Package incorrectly reported as malware

[flodolo]

Advisory: GHSA-q4xh-xjxj-mr76
Source code: https://github.com/flodolo/l10ndocs-linter/

I have no idea why this package would be flagged as malware.

It's a dumb wrapper around another package (markdownlint), it's used internally as a dev dependency, and it's not published on npm.

[taladrane]

Thank you for your question.

You are likely receiving the associated alerts because a malicious package with the same name as one used in your private organization was published to the public npm registry - https://www.npmjs.com/package/mozilla-l10n-docs-linter, meaning you may be susceptible to dependency confusion and substitution. A dependency confusion attack occurs when an attacker publishes a package to a public registry (like npm) using the same name as a package used internally in a private organization. If your build or deployment process inadvertently pulls from the public registry instead of your private one, you could end up installing the attacker's malicious package. The advisory does not mean your private package or codebase is compromised, it only indicates that your package name was targeted.

• If your project only consumes the package from your private registry: No immediate action is required. You should not be affected by the malicious public package.
• If there's any risk your workflow could fetch from the public registry: Review your dependency configuration to ensure that only your private registry is used for this package name. The alert is relevant because it's possible for organizations to be vulnerable to this attack if registry configurations are not strictly enforced.

Dependency confusion is relevant because it exploits naming collisions between private and public registries, potentially tricking systems into installing malicious packages. npm alerts you when such a risk is present, even if your current setup is safe, to ensure you are aware of the attack vector and can verify your configurations.

Can the advisory against your private org package be removed?

Currently, advisories in the GitHub Advisory Database are tied to events in the public ecosystem (npm registry), not your private organization's packages. While the advisory will remain in the database for transparency and supply chain awareness, it may not indicate a vulnerability in your private package.

Best regards,
GitHub Advisory Database Security Team