{"id":"MAL-2026-5451","summary":"Malicious code in privacy-sdk (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (5c92b5d6dae289f8667ca24f2a941473b65e560f6937874f68ff26ed24d58969)\nprivacy-sdk@99.9.1 is a hollow wrapper (index.js is `module.exports = {}`, blank description, blank author) whose sole runtime dependency is declared as a raw tarball URL: `\"ltidisafe\": \"https://ltidi.storage.googleapis.com/depenconf/ltidisafe-2.8.9.tgz\"`. On `npm install privacy-sdk`, npm fetches that tarball directly from the GCS bucket — bypassing the npm registry's publication, audit, and integrity-hash mechanisms — and installs it, executing any lifecycle scripts (preinstall/install/postinstall) bundled inside. The bucket and `depenconf` path do not correspond to any identifiable publisher, the URL has no integrity field, and the bytes at that URL are mutable by whoever controls the bucket. The version `99.9.1` is the canonical high-version dependency-confusion pattern used to outrank an organization's internal `privacy-sdk` package, and the generic name compounds that risk. The package has no advertised functionality of its own; its only effect on install is to deliver attacker-controlled code into the installer's environment via the smuggled tarball.\n","modified":"2026-06-09T18:01:37.587953003Z","published":"2026-06-09T17:25:01Z","database_specific":{"malicious-packages-origins":[{"sha256":"3fde8996f6e327af3c05557575254a0ded23e8f31a7b4f5219e1c26615ec3a28","versions":["99.9.1"],"modified_time":"2026-06-09T17:25:01Z","import_time":"2026-06-09T17:45:50.591544256Z","id":"IN-MAL-2026-005042","source":"amazon-inspector"},{"sha256":"5c92b5d6dae289f8667ca24f2a941473b65e560f6937874f68ff26ed24d58969","versions":["99.9.1"],"modified_time":"2026-06-09T17:25:01Z","import_time":"2026-06-09T17:45:50.560889867Z","id":"IN-MAL-2026-005041","source":"amazon-inspector"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/privacy-sdk/v/99.9.1"}],"affected":[{"package":{"name":"privacy-sdk","ecosystem":"npm","purl":"pkg:npm/privacy-sdk"},"versions":["99.9.1"],"database_specific":{"cwes":[{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."}],"indicators":{"domains":["ltidi.storage.googleapis.com","7363616e.privacy-sdk.i9s2jb5zeoqti8uct76x84v8xz33rtfi.oastify.com","7363616e2d643837343166643330386637.privacy-sdk.i9s2jb5zeoqti8uct76x84v8xz33rtfi.oastify.com","2f686f6d652f7363616e.privacy-sdk.i9s2jb5zeoqti8uct76x84v8xz33rtfi.oastify.com"],"package_integrity":[{"filename":"privacy-sdk-99.9.1.tgz","hashes":{"sha1":"99e4aff3131fc2018b7cc95969c8d0d3398fc3bc","sha512_sri":"sha512-+8LtG96To0e2xuVYVpZ1Uamr6HSyD2lpCytHaIF/jesaqwmz0dz5FbXVRKtmejnpJuimaDOhlX5EP8ktuXh3/w=="}}],"evidence_files":[{"sha256":"1761384280743dbd6b1964cd8fee23c3740fdd7a9509232bb74883c63b5fa489","tlsh":"d1e0c2244a6166334ec511b68d2b955bf3b18e5f0418bc1c5aef541c819db7368f92ac","path":"package.json"}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/privacy-sdk/MAL-2026-5451.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}