MAL-2026-10472
Malicious code in @torbeck/priority-queue (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (b3109ebd719fa91812bd69e50b418b78f2a04c5478924f6ff53054cb798dc937) The package republishes @datastructures-js/priority-queue verbatim — identical README pointing to datastructures-js.info, the original author 'Eyas Ranjous', and the upstream repository URL git+https://github.com/datastructures-js/priority-queue.git — under an unrelated @torbeck scope. Its package.json (L33-34) declares "dependencies": { "@datastructures-js/heap": "npm:@torbeck/heap@4.3.8" }, using npm alias syntax to silently substitute the legitimate @datastructures-js/heap with a sibling package @torbeck/heap@4.3.8 published by the same untrusted maintainer. src/priorityQueue.js does require('@datastructures-js/heap'), so on every import the substituted @torbeck/heap is loaded in place of the upstream package. The installer-facing harm is the namespace-abuse mechanism itself: any consumer who installs @torbeck/priority-queue automatically pulls @torbeck/heap under a name that reads as the legitimate datastructures-js dependency, regardless of what the @torbeck/heap tarball currently contains. The actual payload, if any, lives in @torbeck/heap and must be analyzed in its own record.
Are you affected?
Enter the version of the package you're using.
Affected packages
No fixed version published yet for @torbeck/priority-queue (npm). Pin to a known-safe version or switch to an alternative.