MAL-2026-4432

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@sec-loans-ui/utils/MAL-2026-4432.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-4432
Aliases
  • GHSA-vw7r-pxm7-p56f
Published
2026-05-20T06:16:35Z
Modified
2026-06-29T17:31:46.833580641Z
Summary
Malicious code in @sec-loans-ui/utils (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (da55a9be9d9f90abe00e16200ea17aa78f58643e40d872d04276453dfd8a88f9)

Package is a hollow lure: index.js is a 35-byte stub (module.exports = {}), description and author are empty, and the version is bumped to 99.9.1 — the canonical version-race shape used to beat an internal @sec-loans-ui/utils package in resolution. The package's only on-install effect is its single dependency, declared as a direct HTTPS tarball URL: "ltidisafe": "https://ltidi.storage.googleapis.com/depenconf/ltidisafe-2.4.1.tgz". The host ltidi.storage.googleapis.com is an anonymous third-party Google Cloud Storage bucket, not an npm-registry package and not infrastructure under the @sec-loans-ui scope. The URL path literally contains the string depenconf. On npm install, npm fetches that tarball and runs whatever lifecycle scripts it contains; the bucket owner can rotate the bytes served at that URL at any time without any change to this manifest. Installer harm: any environment that resolves this package as their internal @sec-loans-ui/utils will execute attacker-controlled code from a mutable, opaque, non-publisher bucket.

Source: ghsa-malware (da0e1e23132e65746453d3d7b116ae7988a0428656b579545bb58646f1ac422b)

Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Database specific
{
    "malicious-packages-origins": [
        {
            "versions": [
                "99.9.1"
            ],
            "sha256": "35902497455c6ee82337b42f0c5c610bf89b30985cf2b5b95266a85ed5867932",
            "modified_time": "2026-05-20T06:16:35Z",
            "source": "amazon-inspector",
            "import_time": "2026-05-26T05:50:43.185918077Z",
            "id": "IN-MAL-2026-003477"
        },
        {
            "versions": [
                "99.9.1"
            ],
            "sha256": "da55a9be9d9f90abe00e16200ea17aa78f58643e40d872d04276453dfd8a88f9",
            "modified_time": "2026-05-20T06:16:35Z",
            "source": "amazon-inspector",
            "import_time": "2026-05-26T05:50:43.065321643Z",
            "id": "IN-MAL-2026-003476"
        },
        {
            "sha256": "da0e1e23132e65746453d3d7b116ae7988a0428656b579545bb58646f1ac422b",
            "ranges": [
                {
                    "type": "SEMVER",
                    "events": [
                        {
                            "introduced": "0"
                        }
                    ]
                }
            ],
            "modified_time": "2026-06-29T16:53:17Z",
            "source": "ghsa-malware",
            "id": "GHSA-vw7r-pxm7-p56f",
            "import_time": "2026-06-29T17:14:01.311174001Z"
        }
    ]
}
References
Credits

Affected packages

npm / @sec-loans-ui/utils

Package

Name
@sec-loans-ui/utils
View open source insights on deps.dev
Purl
pkg:npm/%40sec-loans-ui%2Futils

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

99.*
99.9.1

Database specific

indicators
{
    "package_integrity": [
        {
            "filename": "utils-99.9.1.tgz",
            "hashes": {
                "sha512_sri": "sha512-re+sg5YdcBp0wIQe1BaiYeS6Tmps7PQ4w23E1vBy7Rc2xluI+k4Y3NlHKMem14tXxPyrAULDWww2WXDE9zRcAA==",
                "sha1": "defd56234afd69164feaa53c5c407595eb42499b"
            }
        }
    ],
    "evidence_files": [
        {
            "sha256": "95c3146566698ffdf2c862a9206e674687425e0083869a2388617730bfa4fe54",
            "path": "package.json",
            "tlsh": "91e07d30462059330fc510b2481a9107f3b08e4f4408bc1c5adb041c418db7328fd35c"
        }
    ],
    "domains": [
        "7363616e.sec-loans-ui.4v0rxhlh08pdatrxggao8pn54wan2bszh.oastify.com",
        "7363616e2d356663353434393933323761.sec-loans-ui.4v0rxhlh08pdatrxggao8pn54wan2bszh.oastify.com",
        "2f686f6d652f7363616e.sec-loans-ui.4v0rxhlh08pdatrxggao8pn54wan2bszh.oastify.com"
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@sec-loans-ui/utils/MAL-2026-4432.json"
cwes
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]