npm package
is-arrayish
pkg:npm/is-arrayish
Malware
3 malicious versions on record
One or more versions of this package have been flagged as containing malicious code. Audit any system that installed an affected version.
- GHSA-frh7-2f84-v9mwis-arrayish@0.3.3 contains malware after npm account takeoverSep 15, 2025
- MAL-2025-46977Malicious code in is-arrayish (npm)Sep 8, 2025
- GHSA-hfm8-9jrf-7g9wDuplicate Advisory: Malware in is-arrayishSep 8, 2025
Vulnerabilities (1)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-59331 | Hig | — | >= 0.3.3, < 0.3.4 | 0.3.4 | Sep 15, 2025 | is-arrayish checks if an object can be used like an Array. On 8 September 2025, an npm publishing account for is-arrayish was taken over after a phishing attack. Version 0.3.3 was published, functionally identical to the previous patch version, but with a malware payload added at |
- affected >= 0.3.3, < 0.3.4fixed 0.3.4
is-arrayish checks if an object can be used like an Array. On 8 September 2025, an npm publishing account for is-arrayish was taken over after a phishing attack. Version 0.3.3 was published, functionally identical to the previous patch version, but with a malware payload added at