Is this code malicious?

[felix-caboff]

Hey,

Whilst doing some security assurance activities recently my team discovered references to a Node package that is marked as malicious. See:

https://security.snyk.io/vuln/SNYK-JS-ATLASUIFRAMEWORK-5865948

This is potentially very concerning, however, it isn't clear whether that package is the code in this repository. We suspect not, but want to be certain.

We looked in this repository and supporting documentation but couldn't find any reference to this vulnerability and can find no easy way to confirm that the system being assessed is not affected.

Please can you confirm:

• where this repositories code originates from (i.e. was it ever introduced into NPM)
• whether you are aware of this malicious code that was on NPM
• whether the code in this repository has been checked and confirmed not to be affected
• what (if you are aware) the known-malicious code attempted to do / a file hash to compare against / any other Indicators of Compromise (IoC)