{"id":"MAL-2026-6095","summary":"Malicious code in oem-agentic-shared (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (f612eb2fa947323c936a0bb1becc602f0f837f9023edac22a945470566386a8c)\noem-agentic-shared@99.9.1 is a hollow stub: index.js exports an empty object and package.json has empty author, empty description, and no real functionality. Its sole effect on install is to pull in a single dependency declared as a direct HTTPS tarball URL — `ltidisafe` pinned to `https://ltidi.storage.googleapis.com/depenconf/ltidisafe-3.0.9.tgz` — instead of an npm-registry version. The Google Cloud Storage bucket is not associated with this package's name and is not a known publisher CDN, so the tarball contents bypass npm-registry scanning entirely and any lifecycle scripts inside that tarball execute on `npm install`. The wrapper-plus-off-registry-tarball shape is a known smuggling pattern whose only purpose is to inject attacker-controlled, unscanned code into the installer's dependency graph.\n","modified":"2026-06-18T05:46:38.344095616Z","published":"2026-06-18T03:56:46Z","database_specific":{"malicious-packages-origins":[{"modified_time":"2026-06-18T03:56:46Z","versions":["99.9.1"],"import_time":"2026-06-18T05:42:04.856292316Z","source":"amazon-inspector","sha256":"f612eb2fa947323c936a0bb1becc602f0f837f9023edac22a945470566386a8c","id":"IN-MAL-2026-006964"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/oem-agentic-shared/v/99.9.1"}],"affected":[{"package":{"name":"oem-agentic-shared","ecosystem":"npm","purl":"pkg:npm/oem-agentic-shared"},"versions":["99.9.1"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/oem-agentic-shared/MAL-2026-6095.json","cwes":[{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"}],"indicators":{"package_integrity":[{"hashes":{"sha512_sri":"sha512-gBzHuVslA6mV5wCTZyiRJQXkJJunwrUST/N1jPYhOGOD0b9e0jedIEZTLqru2XNmxR849uMqE05pGiSBxJGg8Q==","sha1":"8406d06c4ac1bd857eee94e0c4f3874e2427848e"},"filename":"oem-agentic-shared-99.9.1.tgz"}],"evidence_files":[{"tlsh":"28e07d3009605a330ec511b1881b5117f3718e5f0804bc0c2adf041c508eb7338fe25c","sha256":"09ae14c795f7e12e7fe1d101133077ea55e3b808408c6dff4ecebed10e203468","path":"package.json"},{"tlsh":"0e80040d043171c70355404dd140d441d4c04471400550110fc44ddd0004c0c01f0754","sha256":"322ee46d71101bed25f260f2e78a419b5472e28d1ba02831ced05c73b44e5bb8","path":"index.js"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}