MAL-2026-10198

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/polylabel-web-lib/MAL-2026-10198.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10198
Published
2026-07-12T15:12:41Z
Modified
2026-07-12T15:31:56.933426739Z
Summary
Malicious code in polylabel-web-lib (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (ce7df46acd8236fafbaa27dbccb92d1f286c17b023ea5ff555700e76c4a0188f)

polylabel-web-lib@99.9.1 ships an empty index.js stub and declares its only runtime dependency as a direct tarball URL on a Google Cloud Storage bucket: "ltidisafe": "https://ltidi.storage.googleapis.com/depenconf/ltidisafe-3.2.2.tgz". On npm install, npm fetches this out-of-registry tarball and runs any lifecycle scripts it contains, so the bucket owner controls arbitrary install-time code that executes on the installer's machine. The tarball host is not the npm registry, is not tied to an established publisher CDN for this name, and its contents are mutable at the bucket owner's discretion. The package's own code has no functional purpose beyond smuggling this out-of-registry dependency into installer environments, matching the dependency-smuggling / lure shape used to deliver install-time payloads.

Database specific
{
    "malicious-packages-origins": [
        {
            "sha256": "ce7df46acd8236fafbaa27dbccb92d1f286c17b023ea5ff555700e76c4a0188f",
            "id": "IN-MAL-2026-009752",
            "modified_time": "2026-07-12T15:12:41Z",
            "versions": [
                "99.9.1"
            ],
            "import_time": "2026-07-12T15:24:47.934231494Z",
            "source": "amazon-inspector"
        }
    ]
}
References
Credits

Affected packages

npm / polylabel-web-lib

Package

Affected ranges

Affected versions

99.*
99.9.1

Database specific

indicators
{
    "evidence_files": [
        {
            "sha256": "e75d42df6e2189022ec6109191f7a6619b7a04c8a673f38cdef310509c78fd2e",
            "tlsh": "26e07d20462157334ec501f94c1a6007f3714e4f1408bc0c9edb042c418dbf328f925d",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "filename": "polylabel-web-lib-99.9.1.tgz",
            "hashes": {
                "sha512_sri": "sha512-3DJIEfwdnYODym23tQx/BkYe5g3Fc0uzOTCig014e0bmJyTf2IDPb/PektampGE/dGuy7MM2Lsi5TxMASrcAWg==",
                "sha1": "83b1c0641c250bb474869416f7f397df8cd33bee"
            }
        }
    ]
}
cwes
[
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/polylabel-web-lib/MAL-2026-10198.json"