Please remove all captivateiq instacnes #700
Comments
|
Hi @radical-izak. We have a policy of not removing reports of malicious packages once they have been added. We will only adjust the reports to be more specific for the versions they apply to, or withdraw them if they were not pointing to malicious packages. The repo serves as a history of malicious packages that have been published to open source repositories as both a resource to researchers and organizations trying to protect themselves. Furthermore, the repo does not attempt to judge a package on the intent of the author, only on the package itself and its behavior. This means that packages from both malicious attackers and security researchers are fair game for inclusion. I hope that helps explain. If there is a specific problem you are trying to solve other than merely removing them from the repo, I'd be happy to discuss it more. |
|
Thank you Caleb |
|
Hi @radical-izak,
The
Without understanding how these packages are being used and distributed, your customers tooling may be assuming these packages are coming from NPM, or they may be more aggressive on the version matching. I would need more detail on what your customers are doing to encounter these findings to be able to help further. |
Please help us remove all captivate instance of npm https://github.com/ossf/malicious-packages/tree/main/osv/malicious/npm/%40captivateiq
all of the listed there were just a test of security purposes, now there are no public captivateiq repos
Please let me know if you need any other information
Thank you
The text was updated successfully, but these errors were encountered: