{"id":"MAL-2026-6546","summary":"Malicious code in ryan-pdf-js (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (c3d966501b5f533318c26b54887cd29b3cd6c9495035a0f74519ba349357e3eb)\nryan-pdf-js@99.9.1 is an empty stub package (index.js exports {}) whose sole purpose is to deliver an off-registry payload at install time. Its package.json declares its only dependency, `ltidisafe`, as a direct HTTPS tarball URL on a generic Google Cloud Storage bucket (https://ltidi.storage.googleapis.com/depenconf/ltidisafe-3.1.1.tgz) rather than a registry name, bypassing npm registry scanning. On `npm install`, npm fetches and unpacks that tarball, and any lifecycle scripts it contains execute on the installer's machine. The bucket path `depenconf/` is consistent with dependency-confusion staging, and the package name evokes the widely-used pdf.js ecosystem while shipping no real implementation — a typosquat-shaped lure whose only effect is to route installs through the off-registry dropper.\n","modified":"2026-06-27T14:46:40.790893542Z","published":"2026-06-27T14:21:07Z","database_specific":{"malicious-packages-origins":[{"id":"IN-MAL-2026-007677","import_time":"2026-06-27T14:36:43.600830137Z","versions":["99.9.1"],"modified_time":"2026-06-27T14:21:07Z","sha256":"c3d966501b5f533318c26b54887cd29b3cd6c9495035a0f74519ba349357e3eb","ranges":[{"type":"SEMVER","events":[{"introduced":"0"}]}],"source":"amazon-inspector"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/ryan-pdf-js/v/99.9.1"}],"affected":[{"package":{"name":"ryan-pdf-js","ecosystem":"npm","purl":"pkg:npm/ryan-pdf-js"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"}]}],"versions":["99.9.1"],"database_specific":{"cwes":[{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."}],"indicators":{"evidence_files":[{"tlsh":"1ae072204a206a330ec601f2882a614bf3718e5f0408bc0c2bdb082c408ea7328fa29c","path":"package.json","sha256":"f2c727945460674250f5dff3b64258a5aa011c06a0009ec11eebbb04a1298819"},{"tlsh":"0e80040d043171c70355404dd140d441d4c04471400550110fc44ddd0004c0c01f0754","path":"index.js","sha256":"322ee46d71101bed25f260f2e78a419b5472e28d1ba02831ced05c73b44e5bb8"}],"package_integrity":[{"hashes":{"sha512_sri":"sha512-0uFMmZv7jxMGXj4vzf1NYMEjZilYrpLC6whYMzEYfsXietGON110GQi9kgsCRd7zXRowxH6DesUFqYVJ+GXbvw==","sha1":"08d81cc0838beba89f4eb2285e9ac932dc6ed88b"},"filename":"ryan-pdf-js-99.9.1.tgz"}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ryan-pdf-js/MAL-2026-6546.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}