{"id":"MAL-2026-7005","summary":"Malicious code in visa-cli-tools (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (a0e8f566e285de1eec2c3cae07b0faaa8828080a4e1fed7e76e1fe43dfa571ec)\nPackage presents as an internal-looking corporate tooling name ('visa-cli-tools') published at an inflated version (99.9.1) — the canonical dependency-confusion shape used to override a private-registry resolution with a public-npm entry. The package body is a hollow stub (index.js exports an empty object), so the package has no library utility; its only on-install effect is dependency resolution. package.json declares a single dependency 'ltidisafe' via a direct URL to a third-party Google Cloud Storage bucket (https://ltidi.storage.googleapis.com/depenconf/ltidisafe-3.1.2.tgz) rather than a registry name+semver. The URL path segment 'depenconf' explicitly labels the dependency-confusion technique. On `npm install`, the tarball is fetched from the bucket (outside registry review, mutable by the bucket owner at any time) and its contents enter the installer's dependency tree with normal install-time execution rights, including any lifecycle hooks in that tarball. The hollow lure + inflated version + name mimicking an internal namespace + external mutable tarball delivery jointly constitute a dependency-confusion dropper.\n","modified":"2026-07-08T17:16:53.650412776Z","published":"2026-07-08T16:24:09Z","database_specific":{"malicious-packages-origins":[{"modified_time":"2026-07-08T16:24:09Z","id":"IN-MAL-2026-008095","sha256":"a0e8f566e285de1eec2c3cae07b0faaa8828080a4e1fed7e76e1fe43dfa571ec","versions":["99.9.1"],"source":"amazon-inspector","import_time":"2026-07-08T17:01:29.965123656Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/visa-cli-tools/v/99.9.1"}],"affected":[{"package":{"name":"visa-cli-tools","ecosystem":"npm","purl":"pkg:npm/visa-cli-tools"},"versions":["99.9.1"],"database_specific":{"indicators":{"evidence_files":[{"tlsh":"22e07d34493156330ec901b6481b600bf3714e4f0408bd0c1bdb041c418da7338f935c","sha256":"96812e1747a2865d619437e6e91eb803cbff03b56d6251602f75c9bbf4ced714","path":"package.json"}],"package_integrity":[{"hashes":{"sha1":"7b89165f3e56e0d18d495dd2decd94a64510672d","sha512_sri":"sha512-JQJiXszGuHdbdIuU0GwrGXRXIbNY/Nqz7t2FIFUddWRakiDyB6K9LMhlry5RBQPyLHYBUiDqSsNR9sJm3Lxl+A=="},"filename":"visa-cli-tools-99.9.1.tgz"}]},"cwes":[{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/visa-cli-tools/MAL-2026-7005.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}