{"id":"MAL-2026-5446","summary":"Malicious code in housecall-ui (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (67e32f5c0c623ab57ac1de78fb5e118394d96f79b760af74d4127f775a0a97fe)\nhousecall-ui@99.9.1 is a hollow npm package (empty description, empty author, index.js exports an empty object) whose sole runtime dependency is declared as an HTTPS tarball URL pointing at a third-party Google Cloud Storage bucket: `\"ltidisafe\": \"https://ltidi.storage.googleapis.com/depenconf/ltidisafe-2.9.8.tgz\"` (package.json line 10). On `npm install`, npm fetches whatever bytes currently reside at that GCS URL and executes any lifecycle scripts (preinstall/install/postinstall) inside the resulting tarball. The bucket is not the npm registry, is not a documented publisher infrastructure for any vendor, is unpinned by hash, and is mutable by whoever controls it — meaning the installer cannot audit or guarantee what code will run. The package's name is brand-adjacent to HouseCall Pro and the version is artificially inflated to 99.9.1, the canonical pattern of a dependency-confusion lure designed to outrank an internal private package of the same name in mixed-resolution environments. The surrounding package contributes no functionality; its only effect on install is to sideload `ltidisafe` from attacker-mutable infrastructure.\n","modified":"2026-06-09T18:01:36.363048286Z","published":"2026-06-09T17:23:49Z","database_specific":{"malicious-packages-origins":[{"modified_time":"2026-06-09T17:23:49Z","id":"IN-MAL-2026-005029","versions":["99.9.1"],"source":"amazon-inspector","sha256":"67e32f5c0c623ab57ac1de78fb5e118394d96f79b760af74d4127f775a0a97fe","import_time":"2026-06-09T17:45:49.938772563Z"},{"modified_time":"2026-06-09T17:23:50Z","id":"IN-MAL-2026-005030","versions":["99.9.1"],"source":"amazon-inspector","sha256":"fac4b593cce0ccef6f616ac18250600b6692702eedba77bff01a290e1c07b2fa","import_time":"2026-06-09T17:45:49.968550722Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/housecall-ui/v/99.9.1"}],"affected":[{"package":{"name":"housecall-ui","ecosystem":"npm","purl":"pkg:npm/housecall-ui"},"versions":["99.9.1"],"database_specific":{"cwes":[{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/housecall-ui/MAL-2026-5446.json","indicators":{"domains":["ltidi.storage.googleapis.com","7363616e2d666362633435376165666363.housecall-ui.w74ghp3dc2o7gmsqrl4b6itmvd14vslga.oastify.com","7363616e.housecall-ui.w74ghp3dc2o7gmsqrl4b6itmvd14vslga.oastify.com","2f686f6d652f7363616e.housecall-ui.w74ghp3dc2o7gmsqrl4b6itmvd14vslga.oastify.com"],"evidence_files":[{"path":"package.json","tlsh":"8ae0c2644a71a6334ec512b2882b955bf3b18e5f1808bc1c9bef041c858da7378f929d","sha256":"c8e4a2ad0cc83989c83d3608a8278cecfcb4a1781ebfa8015f1726f342b8cec6"}],"package_integrity":[{"hashes":{"sha1":"03cf7565d035829ea41193d87f51a4d8fa35aa81","sha512_sri":"sha512-QXOff8RxAI/bni1zQ40iE40xMssmt9RPy9Gget2PjyDfe5/8DcaPMvy/3K/GOZKa/LaH9XbmsKG/xRu5fsn18g=="},"filename":"housecall-ui-99.9.1.tgz"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}