OSV Withdraws 157 Malware Reports After Automated False Positives Hit npm and PyPI
OSV withdraws 157 false-positive malware reports from npm and PyPI after automated Amazon Inspector detections
Summary
OpenSSF's OSV vulnerability database rolled back 157 malicious-package reports on May 26 after automated detections from Amazon Inspector incorrectly flagged trusted npm and PyPI packages including FastAPI, Strawberry GraphQL, and others as malware. The false positives propagated through dependency scanners, CI/CD systems, and security tools before being withdrawn, demonstrating the operational risk when unvalidated automated malware reports feed into widely-consumed security infrastructure. The incident prompted OpenSSF to pause Amazon Inspector's automated reporting pipeline and conduct a broader cleanup across both ecosystems.
Full text
Research/Security NewsTrapDoor Crypto Stealer Supply Chain Attack Hits 34 Packages and Hundreds of Versions Across npm, PyPI, and Crates.ioTrapDoor crypto stealer hits 36 malicious packages across npm, PyPI, and Crates.io, targeting crypto, DeFi, AI, and security developers.By Socket Research Team - May 24, 2026