{"id":"MAL-2026-4464","summary":"Malicious code in @vtmn-play/react (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (6e407217116bd1ae3eb89ce8631eae8299f5acd924409d33f141ebddc4489145)\nPackage name @vtmn-play/react mimics Decathlon's Vitamin design system @vtmn/react and is published at version 99.9.1, the canonical dependency-confusion version-bump shape used to override an internal package on installer machines. The package's own code is an empty stub (module.exports = {}). package.json declares a dependency `ltidisafe` resolved from a non-registry tarball URL: https://ltidi.storage.googleapis.com/depenconf/ltidisafe-2.3.2.tgz — the path segment `depenconf` explicitly advertises dependency-confusion intent. On `npm install`, npm fetches and installs that arbitrary tarball from a generic Google Cloud Storage bucket unrelated to Decathlon, dragging attacker-controlled code into the installer's dependency tree. The stub-host pattern combined with an off-registry tarball whose URL is self-labeled with the attack name leaves no benign interpretation.\n","modified":"2026-05-26T06:02:14.057141305Z","published":"2026-05-20T02:21:32Z","database_specific":{"malicious-packages-origins":[{"versions":["99.9.1"],"import_time":"2026-05-26T05:50:35.148970618Z","source":"amazon-inspector","modified_time":"2026-05-20T02:21:33Z","id":"IN-MAL-2026-003407","sha256":"2e6505a22310d49627feb1b1862e401a7b5a886b80f8a60ed1f824376c8767e9"},{"modified_time":"2026-05-20T02:21:32Z","import_time":"2026-05-26T05:50:35.044013065Z","versions":["99.9.1"],"source":"amazon-inspector","id":"IN-MAL-2026-003406","sha256":"6e407217116bd1ae3eb89ce8631eae8299f5acd924409d33f141ebddc4489145"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/@vtmn-play/react/v/99.9.1"}],"affected":[{"package":{"name":"@vtmn-play/react","ecosystem":"npm","purl":"pkg:npm/%40vtmn-play%2Freact"},"versions":["99.9.1"],"database_specific":{"indicators":{"domains":["ltidi.storage.googleapis.com","7363616e.vtmn-play-react.sfbfh555kw91uhbl04ucsd7tokukia6z.oastify.com","7363616e2d376165366663616333646433.vtmn-play-react.sfbfh555kw91uhbl04ucsd7tokukia6z.oastify.com","2f686f6d652f7363616e.vtmn-play-react.sfbfh555kw91uhbl04ucsd7tokukia6z.oastify.com"],"package_integrity":[{"filename":"react-99.9.1.tgz","hashes":{"sha512_sri":"sha512-ous3ICFFgc8IIvDEnBcgDF9NJETqEbWv+ac3kq6j2gXJ/HYZQJ4482V+LAVZt8FCRLpfmDCEb2FeyNI8gWcRIA==","sha1":"557cd7cc5f8908b1cf7f2a6d07c62b3ab13b57fe"}}],"evidence_files":[{"path":"package.json","tlsh":"cbe0cd64456156334fc511b6481b555bf3714e5f04047d1c5bdb441c459dab328f935d","sha256":"3415dc396c96b6c7b18c7c8e40beca316cb6c8f6610dc50e8e3aca6812c5048c"}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@vtmn-play/react/MAL-2026-4464.json","cwes":[{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}