Known Malicious Dependency
What it is
A dependency version matched a known malicious, compromised, or campaign-flagged package in the supplied public advisory feeds.
This usually appears when a prototype grows around packages that were installed quickly but never rechecked against a fresh advisory or campaign feed.
How to fix it
Remove or replace the affected version, rebuild from a clean environment, clear package caches, and rotate developer/CI/cloud/npm/GitHub credentials if install scripts may have executed.
- 1Remove or replace the affected version and rebuild from a clean environment.
- 2Clear package caches so the flagged artifact cannot be reinstalled.
- 3Rotate developer, CI, cloud, npm, and GitHub credentials if install scripts may have executed.
How VibeAudit checks for this
VibeAudit checks this with SCA_PUBLIC_FEEDS and SCA_MALICIOUS_CAMPAIGNS only when lockfile or dependency inventory evidence and feed snapshots are supplied. The free tier may show the surface name and an upgrade prompt, without private evidence or remediation details. Metadata-only surface maps do not create missing-control findings. Unsupported private repositories, authenticated behavior, destructive workflows, account configuration, and business logic remain unverified unless the scan includes matching local, imported, or authorized runtime evidence.
Related failure modes
Check your public launch surface and keep unsupported scope visible.
Run Quick Scan