{"id":"MAL-2026-5517","summary":"Malicious code in firefly-utilities-helper (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (cadcdda902675162dd9cfabd9d8133986723d4c956437633f36a5a07b776ef59)\nfirefly-utilities-helper@99.9.1 ships an empty stub (index.js: `module.exports = {};`) with no description, author, or repository, but declares a single dependency `ltidisafe` as a direct tarball URL: `https://ltidi.storage.googleapis.com/depenconf/ltidisafe-3.0.6.tgz`. The bucket is on Google Cloud Storage, unrelated to any documented publisher, and the bucket/path naming (`ltidi`/`depenconf`) is consistent with a dependency-confusion staging area. URL-tarball dependencies bypass the npm registry's visibility, signature, and tooling — `npm install` will fetch the.tgz directly and execute any preinstall/install/postinstall lifecycle scripts it ships, with no hash pin, no signature, and no registry review. The wrapper contributes no functionality; its only effect on install is to smuggle the off-registry tarball into the installer's dependency tree. The high version number (99.9.1) and absent metadata are also consistent with a dependency-confusion lure intended to outrank an internal package of the same name.\n\n## Source: ossf-package-analysis (783cf770777fff7cfffc2abec6cebd37f9e11f9e219c95e9879dda1222f9177c)\nThe OpenSSF Package Analysis project identified 'firefly-utilities-helper' @ 99.9.1 (npm) as malicious.\n\nIt is considered malicious because:\n\n- The package communicates with a domain associated with malicious activity.\n","modified":"2026-06-10T19:31:29.101545989Z","published":"2026-06-10T17:38:18Z","database_specific":{"malicious-packages-origins":[{"import_time":"2026-06-10T18:03:18.468440676Z","versions":["99.9.1"],"source":"ossf-package-analysis","sha256":"783cf770777fff7cfffc2abec6cebd37f9e11f9e219c95e9879dda1222f9177c","modified_time":"2026-06-10T17:38:18Z"},{"import_time":"2026-06-10T19:23:46.415407612Z","versions":["99.9.1"],"source":"amazon-inspector","sha256":"cadcdda902675162dd9cfabd9d8133986723d4c956437633f36a5a07b776ef59","id":"IN-MAL-2026-005261","modified_time":"2026-06-10T18:21:43Z"},{"import_time":"2026-06-10T19:23:46.461650848Z","versions":["99.9.1"],"source":"amazon-inspector","sha256":"72e58b905aa1de5ac2326fa5797442959160fb1566547987fc82fa4746f2a5f0","id":"IN-MAL-2026-005262","modified_time":"2026-06-10T18:21:44Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/firefly-utilities-helper/v/99.9.1"}],"affected":[{"package":{"name":"firefly-utilities-helper","ecosystem":"npm","purl":"pkg:npm/firefly-utilities-helper"},"versions":["99.9.1"],"database_specific":{"indicators":{"package_integrity":[{"hashes":{"sha512_sri":"sha512-BCPnEE5VhogA0KDIINvrcnrtAmk0AGpxC6EPGS2JNpTod4uasBKmmmFNVbF7DAKkXQEYOiaSc3myPnKzHe1a8A==","sha1":"ee154fcd12e9beb5c848592c4a684a23b758479e"},"filename":"firefly-utilities-helper-99.9.1.tgz"}],"evidence_files":[{"path":"package.json","sha256":"d6b357be209624bca65a91e3817e0d4b496c413d88ce08a5ff6b0d4c8f8f0596","tlsh":"f1e07d24566156334ec511f24c1f5547f3b08e4f0404bc1c1afb441c408db7328fe25c"},{"path":"index.js","sha256":"322ee46d71101bed25f260f2e78a419b5472e28d1ba02831ced05c73b44e5bb8","tlsh":"0e80040d043171c70355404dd140d441d4c04471400550110fc44ddd0004c0c01f0754"}],"domains":["7363616e.firefly-utilities-helper.g6n0g92xbmnrf6raq53v52s6ux0o0cq0f.oastify.com","7363616e2d643234616332363761343938.firefly-utilities-helper.g6n0g92xbmnrf6raq53v52s6ux0o0cq0f.oastify.com","2f686f6d652f7363616e.firefly-utilities-helper.g6n0g92xbmnrf6raq53v52s6ux0o0cq0f.oastify.com"]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/firefly-utilities-helper/MAL-2026-5517.json","cwes":[{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"},{"name":"OpenSSF: Package Analysis","contact":["https://github.com/ossf/package-analysis","https://openssf.slack.com/channels/package_analysis"],"type":"FINDER"}]}