registry  /  @torbeck/priority-queue  /  6.3.6

@torbeck/priority-queue@6.3.6

A heap-based implementation of priority queue in javascript with typescript support.

OSV Malicious Advisory

scanned 4h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-10472 confirms this npm version as malicious. The package republishes @datastructures-js/priority-queue verbatim — identical README pointing to datastructures-js.info, the original author 'Eyas Ranjous', and the upstream repository URL git+https://github.com/datastructures-js/priority-queue.git — under an unrelated @torbeck scope. Its package.json (L33-34) declares "dependencies": { "@datastructures-js/heap": "npm:@torbeck/heap@4.3.8" }, using npm alias syntax...

Advisory
MAL-2026-10472
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in @torbeck/priority-queue (npm)
Details
The package republishes @datastructures-js/priority-queue verbatim — identical README pointing to datastructures-js.info, the original author 'Eyas Ranjous', and the upstream repository URL git+https://github.com/datastructures-js/priority-queue.git — under an unrelated @torbeck scope. Its package.json (L33-34) declares "dependencies": { "@datastructures-js/heap": "npm:@torbeck/heap@4.3.8" }, using npm alias syntax to silently substitute the legitimate @datastructures-js/heap with a sibling package @torbeck/heap@4.3.8 published by the same untrusted maintainer. src/priorityQueue.js does require('@datastructures-js/heap'), so on every import the substituted @torbeck/heap is loaded in place of the upstream package. The installer-facing harm is the namespace-abuse mechanism itself: any consumer who installs @torbeck/priority-queue automatically pulls @torbeck/heap under a name that reads as the legitimate datastructures-js dependency, regardless of what the @torbeck/heap tarball currently contains. The actual payload, if any, lives in @torbeck/heap and must be analyzed in its own record.
Decision reason
OpenSSF Malicious Packages via OSV confirms @torbeck/priority-queue@6.3.6 as malicious (MAL-2026-10472): Malicious code in @torbeck/priority-queue (npm)

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

1 High
HighOsv Malicious Advisory