Remove False positive / non-existent package

[divyesh-0x01]

Hi Team,

The advisory released in last June, was False Positive as it was created for test purpose with no actual malicious code, and later was removed from npm. Since, the package does not exist in public npm anymore, rather in private repo, can this be removed to avoid flagging for the false positive alert.

The advisories are

• https://osv.dev/vulnerability/MAL-2024-1641
• https://osv.dev/vulnerability/MAL-2024-1668
• https://osv.dev/vulnerability/MAL-2024-1667

Reference links -
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/%40wdpx/themes/MAL-2024-1641.json
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/%40wdp-gov/catalog-serialization-engine/MAL-2024-1668.json
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/%40wdp-gov/lineage-component/MAL-2024-1667.json

Kindly withdraw these alerts as they are non-existent now and were false positive when raised.

[awsactran]

Disclaimer: I am not representing the repo maintainers here. I am just sharing some context as a contributor.

The malicious packages repository has a policy of not withdrawing reports for malicious packages, even if they are no longer available and the namespace has been reclaimed.

This is for two reasons:

1/ if someone had ever used the malicious version keeping a historical report means they are still able to detect and remediate the problem
2/ keeping historical reports provides a resource to the community about malicious packages over time

---

Additionally, if you created test package to collect something like os.hostname() and send the information to, for example, burpcollaborator, it would be classified as malicious since it is capturing system info and sending that piece of information outbound without users consent.