{"id":"MAL-2026-5158","summary":"Malicious code in page-info-service (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (9314c597c5023f198b20ebe47d09cf929d8e252e27f60928a3ab73dbe77de8cd)\npage-info-service@99.9.1 ships an empty stub (`index.js` is `module.exports = {}`) with placeholder author/description metadata and an unusually high 99.9.1 version designed to win semver resolution against an internal package name. Its sole effect is a `dependencies` entry that pulls `ltidisafe` from an external HTTPS tarball at `https://ltidi.storage.googleapis.com/depenconf/ltidisafe-2.9.3.tgz` — not from the npm registry. On `npm install`, npm fetches and installs that tarball and runs whatever lifecycle scripts and code it contains. The tarball is hosted on a third-party Google Cloud Storage bucket under a path (`depenconf/`) that explicitly suggests dependency-confusion tooling; its contents are mutable by the bucket owner, there is no integrity hash, no version pinning to a trusted registry, and no relation to any stated package purpose. This matches the canonical dependency-confusion off-registry-dropper pattern.\n\n## Source: ossf-package-analysis (d4a2106922e9e3851658667cacaa2c2818cdb56cd0c4df6778c0cb7fbed2338e)\nThe OpenSSF Package Analysis project identified 'page-info-service' @ 99.9.1 (npm) as malicious.\n\nIt is considered malicious because:\n\n- The package communicates with a domain associated with malicious activity.\n","modified":"2026-06-09T18:01:37.612490328Z","published":"2026-06-02T11:30:35Z","database_specific":{"malicious-packages-origins":[{"versions":["99.9.1"],"sha256":"d4a2106922e9e3851658667cacaa2c2818cdb56cd0c4df6778c0cb7fbed2338e","modified_time":"2026-06-02T11:30:35Z","source":"ossf-package-analysis","import_time":"2026-06-02T11:33:40.237952626Z"},{"sha256":"9314c597c5023f198b20ebe47d09cf929d8e252e27f60928a3ab73dbe77de8cd","versions":["99.9.1"],"modified_time":"2026-06-09T17:24:49Z","id":"IN-MAL-2026-005039","source":"amazon-inspector","import_time":"2026-06-09T17:45:50.427494025Z"},{"sha256":"bdbe4cc5072cdaa733c65ed059bbb9a1b51dc29b51cfc3b2ce1fa7ab9ea662bd","versions":["99.9.1"],"modified_time":"2026-06-09T17:24:50Z","id":"IN-MAL-2026-005040","source":"amazon-inspector","import_time":"2026-06-09T17:45:50.502405007Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/page-info-service/v/99.9.1"}],"affected":[{"package":{"name":"page-info-service","ecosystem":"npm","purl":"pkg:npm/page-info-service"},"versions":["99.9.1"],"database_specific":{"indicators":{"package_integrity":[{"filename":"page-info-service-99.9.1.tgz","hashes":{"sha512_sri":"sha512-bLXIBKBqcLQ55ZYKZFHloCIJVa5HB4NLKqBYR8JmdCYtHBrP8D4rH6yIlI8zXy7q5l+cEtKDi4FzzBSEtF6DXQ==","sha1":"b2447bc34ec327e1306b2901e1e9d08ff9a5f8aa"}}],"evidence_files":[{"sha256":"708b716a7ea695a807e1db605f17615e5eae9ee149c4393ba98dc130c0d41cef","tlsh":"8ee0cd24496155334ec511b55c1f6557f3719e5f1405bd1d5beb041c418da7328f925c","path":"package.json"}],"domains":["2f686f6d652f7363616e.page-info-service.f4kze80w9llqd5p9o41u31q5swynobez3.oastify.com","7363616e.page-info-service.f4kze80w9llqd5p9o41u31q5swynobez3.oastify.com","7363616e2d343932303235386263356165.page-info-service.f4kze80w9llqd5p9o41u31q5swynobez3.oastify.com"]},"cwes":[{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/page-info-service/MAL-2026-5158.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"},{"name":"OpenSSF: Package Analysis","contact":["https://github.com/ossf/package-analysis","https://openssf.slack.com/channels/package_analysis"],"type":"FINDER"}]}