{"id":"MAL-2026-5448","summary":"Malicious code in mazemap (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (751317dcad79cec866b8dc69cd60b39e3be8e1bcc45746039835b04ce32445b0)\npackage.json declares its only dependency `ltidisafe` as a direct HTTPS tarball URL (`https://ltidi.storage.googleapis.com/depenconf/ltidisafe-3.0.2.tgz`) hosted on a generic Google Cloud Storage bucket rather than resolved from the npm registry. On `npm install mazemap`, npm fetches and installs that arbitrary tarball, executing any lifecycle scripts (preinstall/install/postinstall) it contains — the tarball is bucket-owner-mutable and not subject to registry vetting. The package itself is a hollow lure: `index.js` is a 35-byte `module.exports = {};`, with no description, no author, ISC default license, and version `99.9.1` — a recognized dependency-confusion technique for overriding an internal package of the same name via a higher public version. The bucket path segment is literally `depenconf`. The combination of hollow main, inflated version, anonymous GCS-hosted dependency, and name collision with a real product (MazeMap) is a dependency-confusion / smuggling shape whose only on-install effect is to pull and execute attacker-controlled code from a non-registry source.\n","modified":"2026-06-09T18:01:36.562816451Z","published":"2026-06-09T17:24:06Z","database_specific":{"malicious-packages-origins":[{"import_time":"2026-06-09T17:45:50.097394313Z","source":"amazon-inspector","versions":["99.9.1"],"sha256":"751317dcad79cec866b8dc69cd60b39e3be8e1bcc45746039835b04ce32445b0","modified_time":"2026-06-09T17:24:06Z","id":"IN-MAL-2026-005033"},{"import_time":"2026-06-09T17:45:50.138728626Z","source":"amazon-inspector","versions":["99.9.1"],"sha256":"ecccd07042bcd8a96f5ad7d2cdba5ecd1b36fac689210c4bdd4575b2d9a92cb6","modified_time":"2026-06-09T17:24:07Z","id":"IN-MAL-2026-005034"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/mazemap/v/99.9.1"}],"affected":[{"package":{"name":"mazemap","ecosystem":"npm","purl":"pkg:npm/mazemap"},"versions":["99.9.1"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/mazemap/MAL-2026-5448.json","indicators":{"domains":["ltidi.storage.googleapis.com","7363616e.mazemap.5djpny9mibugmvyzxuakcrzv1m7d41upj.oastify.com","7363616e2d633063303364613663333833.mazemap.5djpny9mibugmvyzxuakcrzv1m7d41upj.oastify.com","2f686f6d652f7363616e.mazemap.5djpny9mibugmvyzxuakcrzv1m7d41upj.oastify.com"],"evidence_files":[{"tlsh":"b9e0c2244a6566334ec911b64c2a655bf3b18e5f4418bc1d6bdb042c418dab338f925d","sha256":"06e43470ff0eafc309308403464434f5afd314d40265922d8ef5de296b1c9465","path":"package.json"}],"package_integrity":[{"filename":"mazemap-99.9.1.tgz","hashes":{"sha512_sri":"sha512-M7oJSA6NNnUgXkUS1FKHFB24H3owMcoRUonZQxz8dJoSXOXRZqm0zmpTdQZlZW+VBt85JkmDUwyEZdWMuCdCTw==","sha1":"d2b808b547cfbd8a923768e468f375e1a60729c3"}}]},"cwes":[{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}