registry  /  @torbeck/priority-queue  /  6.3.9

@torbeck/priority-queue@6.3.9

A heap-based implementation of priority queue in javascript with typescript support.

OSV Malicious Advisory

scanned 4h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-10472 confirms this npm version as malicious. The package republishes @datastructures-js/priority-queue verbatim — identical README pointing to datastructures-js.info, the original author 'Eyas Ranjous', and the upstream repository URL git+https://github.com/datastructures-js/priority-queue.git — under an unrelated @torbeck scope. Its package.json (L33-34) declares "dependencies": { "@datastructures-js/heap": "npm:@torbeck/heap@4.3.8" }, using npm alias syntax...

Advisory
MAL-2026-10472
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in @torbeck/priority-queue (npm)
Details
The package republishes @datastructures-js/priority-queue verbatim — identical README pointing to datastructures-js.info, the original author 'Eyas Ranjous', and the upstream repository URL git+https://github.com/datastructures-js/priority-queue.git — under an unrelated @torbeck scope. Its package.json (L33-34) declares "dependencies": { "@datastructures-js/heap": "npm:@torbeck/heap@4.3.8" }, using npm alias syntax to silently substitute the legitimate @datastructures-js/heap with a sibling package @torbeck/heap@4.3.8 published by the same untrusted maintainer. src/priorityQueue.js does require('@datastructures-js/heap'), so on every import the substituted @torbeck/heap is loaded in place of the upstream package. The installer-facing harm is the namespace-abuse mechanism itself: any consumer who installs @torbeck/priority-queue automatically pulls @torbeck/heap under a name that reads as the legitimate datastructures-js dependency, regardless of what the @torbeck/heap tarball currently contains. The actual payload, if any, lives in @torbeck/heap and must be analyzed in its own record.
Decision reason
No blocking static signals were detected.

Decision evidence

public snapshot
Behavioral surface
SourceNo risky source behavior triggered.
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 4 file(s), 7.50 KB of source

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

1 Low
LowScripts Present