registry  /  redis-type-os  /  1.0.3

redis-type-os@1.0.3

OSV Malicious Advisory

scanned 3h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-5882 confirms this npm version as malicious. Package is published as `redis-type-os` but all in-package references (README, docs/, CHANGELOG, repository field, author email) point to `redis-om` / `redis-om-node` by Guy Royse. `dist/index.js` is the upstream redis-om bundle verbatim. The only meaningful divergence from upstream is an added runtime dependency `hex-type@^3.0.2` declared in `package.json`, which is not imported anywhere in the shipped code...

Advisory
MAL-2026-5882
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in redis-type-os (npm)
Details
Package is published as `redis-type-os` but all in-package references (README, docs/, CHANGELOG, repository field, author email) point to `redis-om` / `redis-om-node` by Guy Royse. `dist/index.js` is the upstream redis-om bundle verbatim. The only meaningful divergence from upstream is an added runtime dependency `hex-type@^3.0.2` declared in `package.json`, which is not imported anywhere in the shipped code. The package itself contains no exfiltration, dropper, install hook, or credential-handling code; the carrier ships legitimate redis-om functionality. The supply-chain concern is two-fold: (1) the package name (`redis-type-os` vs `redis-om`) plus impersonated author identity creates confusion for developers who mistype the real package, and (2) installing it silently pulls `hex-type` into the dependency closure for reasons unrelated to the advertised functionality. Whether `hex-type` itself is benign or malicious must be evaluated separately. Routed for human review because name-similarity and author-impersonation are subjective judgments and the carrier itself executes no harmful code at install or import time. ## Source: ghsa-malware (99c007b1300db882ef2517bb7c64d7ecc069ad07d404c8b56c66b846b75bab49) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
Decision reason
OpenSSF Malicious Packages via OSV confirms redis-type-os@1.0.3 as malicious (MAL-2026-5882): Malicious code in redis-type-os (npm)

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

1 High
HighOsv Malicious Advisory