Skip to content

Please clarify harmful libffi-dev malware report #6095

New issue
New issue
Open
Open
Please clarify harmful libffi-dev malware report#6095
@atgreen

Description

@atgreen
atgreen
opened on Sep 7, 2025

I am the author/maintainer of libffi..

This report against libffi-dev in npm is problematic: GHSA-2p54-33x3-2mcf

The advisory GHSA-2p54-33x3-2mcf is titled “Malware in libffi-dev” and lists the package as npm: libffi-dev. As written, it’s causing confusion with:

  • the upstream libffi project, and
  • legitimate Linux distribution packages also named libffi-dev (e.g., Debian/Ubuntu/Alpine dev headers).

To minimize harm and confusion, please make the following edits:

Retitle the advisory to explicitly call out the ecosystem and disambiguation, e.g.:
“Malicious npm package ‘libffi-dev’ (unaffiliated with upstream libffi)”.

Add a disambiguation banner at the top of the Description:

This advisory concerns a malicious npm package named libffi-dev. It is not related to the upstream C library “libffi” (sourceware.org/libffi) nor to distro development packages named libffi-dev shipped by Debian, Ubuntu, Alpine, etc.

If possible, tag the advisory as typosquatting/namesquatting and note whether the npm package has been removed.

Consider adding a short status line (e.g., “Removed from npm on ”) and the OSV/OSSF identifiers to help downstream tools de-duplicate.

The current title (“Malware in libffi-dev”) reads as if the project or distro dev package is compromised. Third-party aggregators already misstate it as a “widely used npm package” providing an FFI, which further muddies the water and harms the legitimate project’s reputation.

References

The advisory showing npm: libffi-dev and “malware” classification.
GitHub

Official upstream libffi website and repo (no npm package): sourceware.org/libffi and github.com/libffi/libffi.
sourceware.org
GitHub

Legitimate distro packages named libffi-dev (unrelated to npm): Debian, Alpine.
packages.debian.org
pkgs.alpinelinux.org

OSV/OSSF entry linking this GHSA to a malicious npm package (MAL-2025-4843).
test.osv.dev

Example of confused third-party write-up exaggerating npm usage for libffi-dev.
Vulert

Thanks for clarifying the title/body so users don’t mistake a malicious npm namesquat for the real libffi or distro libffi-dev packages.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions