{"id":"MAL-2026-5453","summary":"Malicious code in tivo-codelib-a (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (2c187e845e4c0d637709021a287c758e0206cb7adc46517391df4724d8af8cb7)\ntivo-codelib-a@99.9.1 is an empty-stub npm package whose `index.js` exports `module.exports = {}` and whose package metadata (description, author) is blank. Its only effect on installers is its sole runtime dependency, which is declared in package.json as a direct HTTPS URL rather than a registry version: `\"ltidisafe\": \"https://ltidi.storage.googleapis.com/depenconf/ltidisafe-2.8.1.tgz\"`. On `npm install`, npm fetches that tarball from a Google Cloud Storage bucket (`ltidi.storage.googleapis.com/depenconf/`) that does not correspond to any reputable publisher, installs it into the consumer's node_modules, and runs any lifecycle scripts it contains. The URL is not hash-pinned, so the bucket owner can swap the tarball contents at any time and ship arbitrary code to every installer. The package name pattern (`-codelib-a`), the unusually high version (99.9.1), the empty metadata, and the off-registry GCS dependency together match the dependency-confusion smuggler/loader shape: a hollow lure whose install resolves to attacker-controlled code hosted outside the registry.\n","modified":"2026-06-09T18:01:37.870010693Z","published":"2026-06-09T17:27:44Z","database_specific":{"malicious-packages-origins":[{"sha256":"2c187e845e4c0d637709021a287c758e0206cb7adc46517391df4724d8af8cb7","versions":["99.9.1"],"modified_time":"2026-06-09T17:27:44Z","import_time":"2026-06-09T17:45:51.459907891Z","source":"amazon-inspector","id":"IN-MAL-2026-005053"},{"sha256":"57c9d90cd89beaed446ec71eacbe7fd7230972ebf844bd58a3199c2e4dbf3ed9","versions":["99.9.1"],"source":"amazon-inspector","import_time":"2026-06-09T17:45:51.510031173Z","modified_time":"2026-06-09T17:27:44Z","id":"IN-MAL-2026-005054"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/tivo-codelib-a/v/99.9.1"}],"affected":[{"package":{"name":"tivo-codelib-a","ecosystem":"npm","purl":"pkg:npm/tivo-codelib-a"},"versions":["99.9.1"],"database_specific":{"indicators":{"package_integrity":[{"hashes":{"sha1":"fbcd2f7e47a62d5254dd94ea8bd9e80fed2cf980","sha512_sri":"sha512-Ab0qWS1glZZj6C5KUxHeJ5ORSrPAvtiEjMmXaesTTo96PkKESDlrk2Sjh9OUQgz8TGOJZa4hyuJodbzJTkJuIQ=="},"filename":"tivo-codelib-a-99.9.1.tgz"}],"evidence_files":[{"sha256":"e07d0700632dcbcb87e7ef7a1af059c922c045065ec260cc3868c177a6f7099e","tlsh":"68e072204a21a6331fc500f24c2aa54bf3b08e9f0808bc0c1eeb081c808df7328f926d","path":"package.json"},{"sha256":"322ee46d71101bed25f260f2e78a419b5472e28d1ba02831ced05c73b44e5bb8","tlsh":"0e80040d043171c70355404dd140d441d4c04471400550110fc44ddd0004c0c01f0754","path":"index.js"}],"domains":["ltidi.storage.googleapis.com","7363616e.tivo-codelib-a.165lgu2ib7ncfrrvqq3g5nsrui0eo4ct.oastify.com","7363616e2d633832343432663362343336.tivo-codelib-a.165lgu2ib7ncfrrvqq3g5nsrui0eo4ct.oastify.com","2f686f6d652f7363616e.tivo-codelib-a.165lgu2ib7ncfrrvqq3g5nsrui0eo4ct.oastify.com"]},"cwes":[{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/tivo-codelib-a/MAL-2026-5453.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}