{"id":"MAL-2026-5430","summary":"Malicious code in @sourceflow-uk/sourceflow-tracker (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (c5bcccc37c380ce54f5bfc2bc2311fbefb6ebc3400a397cbc4afc2188fb3c11d)\npackage.json declares a dependency `ltidisafe` whose version specifier is the raw URL `https://storage.googleapis.com/lscunpentest/pack_ux_foundry.tgz` — a tarball hosted on a generic Google Cloud Storage bucket unrelated to the package's nominal publisher (@sourceflow-uk). On `npm install`, npm fetches and installs that tarball as a transitive dependency, executing any lifecycle scripts (preinstall/install/postinstall) it contains on the installer's machine. The URL is not version-pinned, not hash-verified, and not under the publisher's control: the bucket owner can swap the tarball contents at any time, so a future install delivers different bytes than a present install with no package change. The wrapper package itself is hollow — `index.js` only runs `console.log(\"hello from lslslslslss\")`, the description is the garbled string `lspodcc`, the author is `lslsls`, and the version is `99.91.9`. These attributes are inconsistent with the advertised \"sourceflow tracker\" functionality and consistent with a throwaway lure whose sole purpose is to chain-load the third-party tarball into the installer's dependency tree.\n","modified":"2026-06-09T18:01:33.008076806Z","published":"2026-06-09T17:18:34Z","database_specific":{"malicious-packages-origins":[{"id":"IN-MAL-2026-005016","import_time":"2026-06-09T17:45:49.14636374Z","source":"amazon-inspector","sha256":"056586762b747716eb425caabeec72f83665eae6c88d6320a927b705f4867ad4","modified_time":"2026-06-09T17:18:34Z","versions":["99.91.9"]},{"source":"amazon-inspector","import_time":"2026-06-09T17:45:49.071306398Z","id":"IN-MAL-2026-005015","sha256":"c5bcccc37c380ce54f5bfc2bc2311fbefb6ebc3400a397cbc4afc2188fb3c11d","modified_time":"2026-06-09T17:18:34Z","versions":["99.91.9"]}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/@sourceflow-uk/sourceflow-tracker/v/99.91.9"}],"affected":[{"package":{"name":"@sourceflow-uk/sourceflow-tracker","ecosystem":"npm","purl":"pkg:npm/%40sourceflow-uk%2Fsourceflow-tracker"},"versions":["99.91.9"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@sourceflow-uk/sourceflow-tracker/MAL-2026-5430.json","indicators":{"evidence_files":[{"path":"package.json","sha256":"81ba01b776825d7bd6a7819f656074d826f3861e104328681a21506976f0d491","tlsh":"39e0df28995255334bc942e64c257827eaa95e0e100c7c0947db212c49deab37dfa36c"}],"domains":["storage.googleapis.com","10.201.176.2.ux-foundry.wwwz15e554m201wwajfl7m1ey54z1nq.oastify.com","7363616e2d386661393038626631316461.ux-foundry.wwwz15e554m201wwajfl7m1ey54z1nq.oastify.com","2f686f6d652f7363616e.ux-foundry.wwwz15e554m201wwajfl7m1ey54z1nq.oastify.com"],"package_integrity":[{"hashes":{"sha1":"1740d0d60801b96daa36c0ff3373aeea56ce479b","sha512_sri":"sha512-tsfzUxVKmVCY02W9rN9HIXupUJjBXpiq1dZXNHHcLJ0ButH+05/Ckelw0P4WDrfBj6v481K00vNoa4cx0HqY2w=="},"filename":"sourceflow-tracker-99.91.9.tgz"}]},"cwes":[{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}