Description
The OpenSearch Project has sustained a security incident involving an external actor gaining force-push permissions within the project’s CI infrastructure to embed malicious packages into four release versions of @opensearch-project/opensearch.
Recommendation
No fix is available yet. Followings are affected versions:
**= 3.8.0 = 3.7.0 = 3.6.2 = 3.5.3**
References
Related Issues
- Malicious Package in coffee-project - Vulnerability
- react-native-mmkv Insertion of Sensitive Information into Log File vulnerability - CVE-2024-21668
- ZDI-CAN-23894: Parse Server literalizeRegexPart SQL Injection Authentication Bypass Vulnerability - CVE-2024-39309
- VvvebJs Arbitrary File Upload vulnerability - CVE-2024-29272
You might also like:
- Tags:
- npm
- @opensearch-project/opensearch
Anything's wrong? Let us know Last updated on May 19, 2026


