{"id":"MAL-2026-5767","summary":"Malicious code in ltidiconf (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (a4ca306052ea5224831743daec9d3944fadff8cb4a7211e980be7669a739d00d)\nltidiconf@99.9.1 is an empty wrapper package (index.js is `module.exports = {};`, empty author/description, inflated 99.9.1 version) whose sole effect on install is to pull a single dependency declared as a direct tarball URL: `\"ltidisafe\": \"https://ltidi.storage.googleapis.com/depenconf/ltidisafe-3.0.8.tgz\"`. The bytes at that GCS bucket are mutable, unpinned, and not integrity-hashed; the bucket owner can swap the tarball at any time, and whatever code is in it executes at `npm install` time and on `require`. The wrapper has no functional content of its own, the bucket path literally contains the string `depenconf`, and the 99.9.1 version is the canonical shape of a dependency-confusion squat designed to shadow an internal package name and drop arbitrary attacker-controlled code into the installer's environment.\n\n## Source: ossf-package-analysis (82f07d72efb0234c99f1db77fa557334d2cf010cd0a7020e470d6e72518c0a5d)\nThe OpenSSF Package Analysis project identified 'ltidiconf' @ 99.9.1 (npm) as malicious.\n\nIt is considered malicious because:\n\n- The package communicates with a domain associated with malicious activity.\n","modified":"2026-06-15T15:46:47.593433297Z","published":"2026-06-14T09:54:09Z","database_specific":{"malicious-packages-origins":[{"sha256":"82f07d72efb0234c99f1db77fa557334d2cf010cd0a7020e470d6e72518c0a5d","versions":["99.9.1"],"modified_time":"2026-06-14T09:54:09Z","source":"ossf-package-analysis","import_time":"2026-06-14T10:35:35.647537799Z"},{"import_time":"2026-06-15T15:30:23.145460417Z","versions":["99.9.1"],"modified_time":"2026-06-15T15:10:50Z","id":"IN-MAL-2026-006495","source":"amazon-inspector","sha256":"d23bfcabd08f1f3edd2a8e962bb0fe97b93785acbe3b05387f896131096b1a2a"},{"sha256":"a4ca306052ea5224831743daec9d3944fadff8cb4a7211e980be7669a739d00d","versions":["99.9.1"],"modified_time":"2026-06-15T15:10:49Z","id":"IN-MAL-2026-006494","source":"amazon-inspector","import_time":"2026-06-15T15:30:23.033169264Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/ltidiconf/v/99.9.1"}],"affected":[{"package":{"name":"ltidiconf","ecosystem":"npm","purl":"pkg:npm/ltidiconf"},"versions":["99.9.1"],"database_specific":{"cwes":[{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ltidiconf/MAL-2026-5767.json","indicators":{"package_integrity":[{"hashes":{"sha512_sri":"sha512-/SIpygfPax1YLY0WdK4DOliRK/eHvHNwMYnuoQRkzGvVTeHpYhhs4v9Dfr9xRSeE5mJ816lTMJ3KOJvA0Ip6dQ==","sha1":"72e736d4a74c4acb90055a11072b98a4e1ed5520"},"filename":"ltidiconf-99.9.1.tgz"}],"domains":["ltidi.storage.googleapis.com","7363616e.ltidiconf.9lvadgr230soiphkf5c2nobxvo1gp6dv.oastify.com","7363616e2d366233333065356337333938.ltidiconf.9lvadgr230soiphkf5c2nobxvo1gp6dv.oastify.com","2f686f6d652f7363616e.ltidiconf.9lvadgr230soiphkf5c2nobxvo1gp6dv.oastify.com"],"evidence_files":[{"sha256":"5bcd53d105dc8824e8fc7ec8902d98a569065fc039ca4b61a72a73a237db18cd","path":"package.json","tlsh":"89e0c2244a656a334eda11b2486b655bf3718e9f0808bc1cabdf042c45edbb368f935c"},{"sha256":"322ee46d71101bed25f260f2e78a419b5472e28d1ba02831ced05c73b44e5bb8","path":"index.js","tlsh":"0e80040d043171c70355404dd140d441d4c04471400550110fc44ddd0004c0c01f0754"}],"ips":["54.77.139.23","3.248.33.252","172.253.62.207"]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"},{"name":"OpenSSF: Package Analysis","contact":["https://github.com/ossf/package-analysis","https://openssf.slack.com/channels/package_analysis"],"type":"FINDER"}]}