Summary
Several @browserbasehq/* advisories from the Shai-Hulud 2.0 campaign have overly broad SEMVER ranges that flag all versions as malicious, when only a single specific version of each package was ever compromised. The malicious versions have long since been removed from npm and clean versions are actively published.
This is causing downstream tools (e.g., Goose by Block) that consume OSV data to block installation of the current, clean versions of these packages.
Affected Advisories
| Advisory |
Package |
Malicious Version |
Range (current) |
Range (correct) |
| MAL-2025-191193 |
@browserbasehq/bb9 |
1.2.21 |
>= 0 (all versions) |
= 1.2.21 only |
| MAL-2025-191194 |
@browserbasehq/director-ai |
1.0.3 |
>= 0 (all versions) |
= 1.0.3 only |
| MAL-2025-191195 |
@browserbasehq/mcp |
2.1.1 |
>= 0 (all versions) |
= 2.1.1 only |
| MAL-2025-191196 |
@browserbasehq/mcp-server-browserbase |
2.4.2 |
(no range) |
OK as-is |
| MAL-2025-191197 |
@browserbasehq/sdk-functions |
0.0.4 |
(no range) |
OK as-is |
| MAL-2025-191198 |
@browserbasehq/stagehand |
3.0.4 |
(no range) |
OK as-is |
| MAL-2025-191199 |
@browserbasehq/stagehand-docs |
1.0.1 |
>= 0 (all versions) |
= 1.0.1 only |
Problem
The ghsa-malware source in each advisory contributes a SEMVER range of {"introduced": "0"} with no fixed event, which means "all versions from 0 to infinity are affected." However, the versions field and the google-open-source-security / amazon-inspector sources in the same advisories correctly identify only the single compromised version.
For example, in MAL-2025-191195.json:
versions: ["2.1.1"] — correctranges: [{"type": "SEMVER", "events": [{"introduced": "0"}]}] — overly broad
Request
Please update the 4 advisories with overly broad ranges (MAL-2025-191193, MAL-2025-191194, MAL-2025-191195, MAL-2025-191199) to scope the SEMVER range to only the affected version. For example:
"ranges": [
{
"type": "SEMVER",
"events": [
{"introduced": "2.1.1"},
{"fixed": "2.1.2"}
]
}
]Or alternatively, since the malicious versions have been yanked from npm, the advisories could be withdrawn entirely.
Impact
- Goose (Block's AI agent) checks OSV before loading MCP extensions and blocks any package with a MAL-* advisory, regardless of version. Users cannot use
@browserbasehq/mcp or other Browserbase packages as Goose extensions.
- Any other security scanner consuming OSV data will similarly flag all versions of these packages.
Context
These packages were compromised as part of the Shai-Hulud 2.0 npm supply chain attack in November 2025. The malicious versions were removed from npm shortly after discovery. Current versions on npm are clean.
The corresponding GHSA advisories also need correction (linked via aliases in each advisory).
Summary
Several
@browserbasehq/*advisories from the Shai-Hulud 2.0 campaign have overly broad SEMVER ranges that flag all versions as malicious, when only a single specific version of each package was ever compromised. The malicious versions have long since been removed from npm and clean versions are actively published.This is causing downstream tools (e.g., Goose by Block) that consume OSV data to block installation of the current, clean versions of these packages.
Affected Advisories
@browserbasehq/bb91.2.21>= 0(all versions)= 1.2.21only@browserbasehq/director-ai1.0.3>= 0(all versions)= 1.0.3only@browserbasehq/mcp2.1.1>= 0(all versions)= 2.1.1only@browserbasehq/mcp-server-browserbase2.4.2@browserbasehq/sdk-functions0.0.4@browserbasehq/stagehand3.0.4@browserbasehq/stagehand-docs1.0.1>= 0(all versions)= 1.0.1onlyProblem
The
ghsa-malwaresource in each advisory contributes a SEMVER range of{"introduced": "0"}with nofixedevent, which means "all versions from 0 to infinity are affected." However, theversionsfield and thegoogle-open-source-security/amazon-inspectorsources in the same advisories correctly identify only the single compromised version.For example, in
MAL-2025-191195.json:versions: ["2.1.1"]— correctranges: [{"type": "SEMVER", "events": [{"introduced": "0"}]}]— overly broadRequest
Please update the 4 advisories with overly broad ranges (MAL-2025-191193, MAL-2025-191194, MAL-2025-191195, MAL-2025-191199) to scope the SEMVER range to only the affected version. For example:
Or alternatively, since the malicious versions have been yanked from npm, the advisories could be withdrawn entirely.
Impact
@browserbasehq/mcpor other Browserbase packages as Goose extensions.Context
These packages were compromised as part of the Shai-Hulud 2.0 npm supply chain attack in November 2025. The malicious versions were removed from npm shortly after discovery. Current versions on npm are clean.
The corresponding GHSA advisories also need correction (linked via aliases in each advisory).