False Positive: CWE-506 Flag on Project Packages

[Sina-KH]

Hello,

We’ve noticed that three of our project libraries have been flagged under CWE-506: Embedded Malicious Code in the GitHub security advisories. After reviewing the codebase and package history, we believe this is a false positive.

There is no obfuscation, suspicious behavior, or embedded malicious code present in these packages. We suspect this flag may have been triggered erroneously—possibly due to a misinterpretation of certain implementation patterns or dependencies.

Reports:

GHSA-ccc7-4x7f-rx8r
GHSA-59c9-98cx-68fw
GHSA-xw5j-qjmv-9fjx

We kindly request a review of these advisories, and we’re happy to provide any clarifications or code details needed to assist in resolving this matter.

Thanks in advance for your attention and support!

[shelbyc]

Hi @Sina-KH, if you haven't done so already, contact https://www.npmjs.com/support to initiate a namespace claim and let npm support know that you haven't found evidence of malicious activity in mtw-capacitor-usb-hid, native-bottom-sheet, or eslint-config-mytonwallet. Thanks for reaching out and have a great week!