Regarding the critical vulnerabilities in the AppDynamics dependencies that were flagged by GitHub, our security team has provided the following justification: "Recently AppDynamics was made aware of alerts about malicious software in the AppDynamics Node.js Agent (https://www.npmjs.com/package/appdynamics). The following components are being flagged by NPM tooling.

appdynamics-libagent-napi - https://github.com/advisories/GHSA-j9p6-9m64-6w55

appdynamics-native - https://github.com/advisories/GHSA-wgg3-rjwp-5qp2

appdynamics-protobuf - https://github.com/advisories/GHSA-5fmf-f797-r9p5

AppDynamics uses these component names internally and embeds them inside the official AppDynamics Node.js Agent. AppDynamics does not publish these components to npmjs.com. A malicious actor uploaded malicious code using the names of these packages., this is known as a NPM look-a-like attack. An "npm repository look-a-like attack" refers to a malicious tactic where an attacker creates a package on the npm registry with a name that closely resembles a legitimate, popular package, aiming to trick developers into installing the malicious version instead, potentially allowing them to inject harmful code into a project by exploiting the trust placed in the seemingly familiar package name.

The NPM tool only does a name comparison only and does not have the ability to distinguish where a package is sourced from.

This can lead to the confusion and make it appear the AppDynamics Node.js Agent is compromised. Please understand this is a false positive. While the AppDynamics Node.js Agent does use these component names internally. The agent does not reach out to npmjs.com to retrieve the packages. Thus when using the official AppDynamics NPM agent you will not be infected with a malicious piece of software."

If you still have any questions, please feel free to create a support case for further assistance
https://mycase.cloudapps.cisco.com/case