[false-positive] the packages are no longer pose any risk

[CHATSKII]

Seems like packages are held as a security placeholder and then packages names were properly claimed as "Holding package". Since then packages do not appear to be malicious.

Packages to be withdrawn:

• https://osv.dev/vulnerability/MAL-2022-175
• https://osv.dev/vulnerability/MAL-2022-174

additional information from npmjs:

• https://www.npmjs.com/package/@cobalt-team/support-email
• https://www.npmjs.com/package/@cobalt-team/multi-invite

[calebbrown]

The malicious packages repository has a policy of not withdrawing reports for malicious packages, even if they are no longer available and the namespace has been reclaimed.

This is for two reasons:

1. if someone had ever used the malicious version keeping a historical report means they are still able to detect and remediate the problem
2. keeping historical reports provides a resource to the community about malicious packages over time

To ensure that the holding packages are not marked as false-positives I will update the versions to better match those that were uploaded that were malicious.

@cobalt-team/support-email:

• 1.0.0
• 1.1.2
• 1.54.0

@cobalt-team/multi-invite:

• 1.0.0
• 1.0.3
• 1.0.4
• 1.32.1