{"id":"MAL-2026-5447","summary":"Malicious code in localization-lib (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (bf143361939feffe7099c14acc7cf41a401681481e932e15d6054dde49e88f94)\nlocalization-lib@99.9.1 is an empty shell package: `index.js` is `module.exports = {}` and `package.json` has no description or author. Its `dependencies` declares `\"ltidisafe\": \"https://ltidi.storage.googleapis.com/depenconf/ltidisafe-3.0.1.tgz\"`, resolving a transitive dependency directly from a third-party Google Cloud Storage bucket rather than the npm registry. On `npm install`, npm fetches and installs that opaque tarball and executes any lifecycle hooks it declares on the installer's machine. The version `99.9.1` is the canonical outranking-version pattern used in dependency-confusion attacks to override a legitimate internally-named package, and the URL path literally contains the token `depenconf`. The package has no functional purpose other than smuggling this off-registry dependency into the installer's environment.\n","modified":"2026-06-09T18:01:36.468581088Z","published":"2026-06-09T17:23:58Z","database_specific":{"malicious-packages-origins":[{"id":"IN-MAL-2026-005032","import_time":"2026-06-09T17:45:50.052115617Z","versions":["99.9.1"],"modified_time":"2026-06-09T17:23:59Z","source":"amazon-inspector","sha256":"bcd25156cfc8d9cd6b46f2b84b7212acd8a139ae38c964302332104a0fb44067"},{"id":"IN-MAL-2026-005031","import_time":"2026-06-09T17:45:50.011647696Z","versions":["99.9.1"],"modified_time":"2026-06-09T17:23:58Z","source":"amazon-inspector","sha256":"bf143361939feffe7099c14acc7cf41a401681481e932e15d6054dde49e88f94"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/localization-lib/v/99.9.1"}],"affected":[{"package":{"name":"localization-lib","ecosystem":"npm","purl":"pkg:npm/localization-lib"},"versions":["99.9.1"],"database_specific":{"cwes":[{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/localization-lib/MAL-2026-5447.json","indicators":{"domains":["7363616e2d666136323231393661313133.localization-lib.s92cjl59eyq3iiumth678evix930yopce.oastify.com","2f686f6d652f7363616e.localization-lib.s92cjl59eyq3iiumth678evix930yopce.oastify.com","ltidi.storage.googleapis.com","7363616e.localization-lib.s92cjl59eyq3iiumth678evix930yopce.oastify.com"],"package_integrity":[{"hashes":{"sha1":"f37184c90e9db6f936e12b5448fe7607a3509536","sha512_sri":"sha512-K72q+mf8xeug5pj8xfWSbk9cPySIDB3DIdFafT+f/QOPgSfzB9/+gttZoGDB5TfYedXRF3Z4tMJsO9gfe/0+sA=="},"filename":"localization-lib-99.9.1.tgz"}],"evidence_files":[{"tlsh":"68e07d60452155334ec511f24c2a5007f3704e8f0408fc0c2aeb041c408db732cf935c","path":"package.json","sha256":"06c48f97c3211303018b41898b75a95ec22815e4487f432004f31a4f8ccb40b6"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}