MAL-2026-4464

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@vtmn-play/react/MAL-2026-4464.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-4464

Published

2026-05-20T02:21:32Z

Modified

2026-05-26T06:02:14.057141305Z

Summary

Malicious code in @vtmn-play/react (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (6e407217116bd1ae3eb89ce8631eae8299f5acd924409d33f141ebddc4489145)

Package name @vtmn-play/react mimics Decathlon's Vitamin design system @vtmn/react and is published at version 99.9.1, the canonical dependency-confusion version-bump shape used to override an internal package on installer machines. The package's own code is an empty stub (module.exports = {}). package.json declares a dependency ltidisafe resolved from a non-registry tarball URL: https://ltidi.storage.googleapis.com/depenconf/ltidisafe-2.3.2.tgz — the path segment depenconf explicitly advertises dependency-confusion intent. On npm install, npm fetches and installs that arbitrary tarball from a generic Google Cloud Storage bucket unrelated to Decathlon, dragging attacker-controlled code into the installer's dependency tree. The stub-host pattern combined with an off-registry tarball whose URL is self-labeled with the attack name leaves no benign interpretation.

Database specific

{
    "malicious-packages-origins": [
        {
            "sha256": "2e6505a22310d49627feb1b1862e401a7b5a886b80f8a60ed1f824376c8767e9",
            "source": "amazon-inspector",
            "modified_time": "2026-05-20T02:21:33Z",
            "import_time": "2026-05-26T05:50:35.148970618Z",
            "versions": [
                "99.9.1"
            ],
            "id": "IN-MAL-2026-003407"
        },
        {
            "source": "amazon-inspector",
            "sha256": "6e407217116bd1ae3eb89ce8631eae8299f5acd924409d33f141ebddc4489145",
            "modified_time": "2026-05-20T02:21:32Z",
            "versions": [
                "99.9.1"
            ],
            "id": "IN-MAL-2026-003406",
            "import_time": "2026-05-26T05:50:35.044013065Z"
        }
    ]
}

References

https://www.npmjs.com/package/@vtmn-play/react/v/99.9.1

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com

Affected packages

npm / @vtmn-play/react

Package

Name: @vtmn-play/react; View open source insights on deps.dev
Purl: pkg:npm/%40vtmn-play%2Freact

Affected ranges

Affected versions

99.*

99.9.1

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@vtmn-play/react/MAL-2026-4464.json"

indicators

{
    "domains": [
        "ltidi.storage.googleapis.com",
        "7363616e.vtmn-play-react.sfbfh555kw91uhbl04ucsd7tokukia6z.oastify.com",
        "7363616e2d376165366663616333646433.vtmn-play-react.sfbfh555kw91uhbl04ucsd7tokukia6z.oastify.com",
        "2f686f6d652f7363616e.vtmn-play-react.sfbfh555kw91uhbl04ucsd7tokukia6z.oastify.com"
    ],
    "package_integrity": [
        {
            "filename": "react-99.9.1.tgz",
            "hashes": {
                "sha1": "557cd7cc5f8908b1cf7f2a6d07c62b3ab13b57fe",
                "sha512_sri": "sha512-ous3ICFFgc8IIvDEnBcgDF9NJETqEbWv+ac3kq6j2gXJ/HYZQJ4482V+LAVZt8FCRLpfmDCEb2FeyNI8gWcRIA=="
            }
        }
    ],
    "evidence_files": [
        {
            "sha256": "3415dc396c96b6c7b18c7c8e40beca316cb6c8f6610dc50e8e3aca6812c5048c",
            "tlsh": "cbe0cd64456156334fc511b6481b555bf3714e5f04047d1c5bdb441c459dab328f935d",
            "path": "package.json"
        }
    ]
}

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]