{"id":"MAL-2026-5153","summary":"Malicious code in @att-ebiz/abs-components-bc (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (fb8d1b46db555fda7536bcf080f9dfd0ceed5c731f7a96b2579121598dad6721)\nPackage @att-ebiz/abs-components-bc@99.9.1 is an empty placeholder published to public npm under a scope (@att-ebiz) that matches AT&T's internal eBusiness namespace, with an inflated 99.9.1 version designed to outrank a legitimate private package of the same name during resolution. Its only meaningful content is a dependency in package.json line 10 declaring \"ltidisafe\": \"https://ltidi.storage.googleapis.com/depenconf/ltidisafe-2.8.8.tgz\" — an off-registry tarball hosted on a third-party Google Cloud Storage bucket. The URL is unpinned (no integrity hash), mutable by whoever controls the bucket, and the path segment 'depenconf' explicitly names the dependency-confusion technique. On npm install, npm fetches that tarball and executes any preinstall/install/postinstall lifecycle scripts and module code it contains on the installer's machine. The package itself ships an empty index.js, so installation has no purpose other than pulling and executing the remote tarball's contents. Combined fingerprint — scoped namespace impersonation + 99.9.1 version inflation + empty source + unpinned off-registry tarball with 'depenconf' in the URL — is an unambiguous dependency-confusion dropper.\n\n## Source: ossf-package-analysis (d9d4d8606057fc579fbbc6ede648c88bb580827838850f589e8887c1dd374a39)\nThe OpenSSF Package Analysis project identified '@att-ebiz/abs-components-bc' @ 99.9.1 (npm) as malicious.\n\nIt is considered malicious because:\n\n- The package communicates with a domain associated with malicious activity.\n","modified":"2026-06-09T18:01:34.713897621Z","published":"2026-06-02T07:07:06Z","database_specific":{"malicious-packages-origins":[{"import_time":"2026-06-02T07:46:07.444619668Z","sha256":"d9d4d8606057fc579fbbc6ede648c88bb580827838850f589e8887c1dd374a39","modified_time":"2026-06-02T07:07:06Z","versions":["99.9.1"],"source":"ossf-package-analysis"},{"id":"IN-MAL-2026-005044","import_time":"2026-06-09T17:45:50.815196924Z","modified_time":"2026-06-09T17:25:08Z","sha256":"f3e597e558eea8fcd44160e348300946f5bed715ad5dd6e913fa4395c104fba5","versions":["99.9.1"],"source":"amazon-inspector"},{"id":"IN-MAL-2026-005043","import_time":"2026-06-09T17:45:50.709235157Z","modified_time":"2026-06-09T17:25:07Z","sha256":"fb8d1b46db555fda7536bcf080f9dfd0ceed5c731f7a96b2579121598dad6721","versions":["99.9.1"],"source":"amazon-inspector"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/@att-ebiz/abs-components-bc/v/99.9.1"}],"affected":[{"package":{"name":"@att-ebiz/abs-components-bc","ecosystem":"npm","purl":"pkg:npm/%40att-ebiz%2Fabs-components-bc"},"versions":["99.9.1"],"database_specific":{"cwes":[{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@att-ebiz/abs-components-bc/MAL-2026-5153.json","indicators":{"domains":["ltidi.storage.googleapis.com","7363616e.att-ebiz.tc9dmm8ahzt4ljxnwi98bfyj0a6du3is.oastify.com","7363616e2d626163306439303830373835.att-ebiz.tc9dmm8ahzt4ljxnwi98bfyj0a6du3is.oastify.com","2f686f6d652f7363616e.att-ebiz.tc9dmm8ahzt4ljxnwi98bfyj0a6du3is.oastify.com"],"package_integrity":[{"hashes":{"sha1":"d3c7db9eb959f41aaec02924fb8183ebc4ec9d8b","sha512_sri":"sha512-6Bu0HdQM6zlUKud90LyVCoV//GmrRxhiUEKjHjeu/xASfaKCDgVJOR9tAQUWELjckhudfXP5MjLATXTrN8IIBQ=="},"filename":"abs-components-bc-99.9.1.tgz"}],"evidence_files":[{"tlsh":"ebe02630492055334ac921b1482aa457b3b08e4e08087c0c5adb081c429da7368f929d","path":"package.json","sha256":"cdb59e9523e3b8d8de39554e0d7906981f2bf678ea2c622fa42a0340abaeda7b"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"},{"name":"OpenSSF: Package Analysis","contact":["https://github.com/ossf/package-analysis","https://openssf.slack.com/channels/package_analysis"],"type":"FINDER"}]}