OSV, the OpenSSF-backed vulnerability database, withdrew 157 malicious-package reports on May 26 after automated detections from Amazon Inspector incorrectly flagged trusted npm and PyPI packages as malware. The false positives propagated into security scanners, CI/CD pipelines, SBOM tools, and policy engines before the rollback. The incident originated from an automated ingestion pipeline added in October 2025 that fed Amazon Inspector reports directly into OSV-format malware records without human validation. Affected packages included FastAPI, Strawberry GraphQL, and numerous MCP servers and AI tools. The false malware records triggered emergency reviews and forced maintainers to prove their packages were not compromised, highlighting the operational risk of treating automated, unvalidated detections as enforcement-grade intelligence in open package ecosystems.
Table of contents
FastAPI Flagged for Suspicious Dependency #Amazon Inspector Reports Drove the False Positives #False Positives Hit Build Pipelines #Sort: