OSV Withdraws 157 Malware Reports After Automated False Positives Hit npm and PyPI

On May 26, OSV, supported by the OpenSSF, retracted 157 false reports of malicious packages after automated detections mistakenly flagged several npm and PyPI packages, including FastAPI, Strawberry GraphQL, and others, as malware. This withdrawal occurred in response to incorrect data being introduced to security tools and CI/CD systems, which could disrupt builds and force maintainers to prove their projects' integrity. The issue arose from Amazon Inspector, an automated vulnerability management service, which was integrated into OpenSSF’s pipeline in 2025, leading to unvalidated reports being classified as malicious code. These false positives, resulting from automated reports, caused significant disruption by triggering incident responses and build failures before maintainers could address the inaccuracies. The rollback was a corrective measure to restore confidence in the OSV data source, highlighting the challenges of relying on automated detections in public package intelligence.