MAL-2026-5158

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/page-info-service/MAL-2026-5158.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-5158
Aliases
  • GHSA-67v8-5gw6-m65g
Published
2026-06-02T11:30:35Z
Modified
2026-07-10T17:02:02.775734265Z
Summary
Malicious code in page-info-service (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (9314c597c5023f198b20ebe47d09cf929d8e252e27f60928a3ab73dbe77de8cd)

page-info-service@99.9.1 ships an empty stub (index.js is module.exports = {}) with placeholder author/description metadata and an unusually high 99.9.1 version designed to win semver resolution against an internal package name. Its sole effect is a dependencies entry that pulls ltidisafe from an external HTTPS tarball at https://ltidi.storage.googleapis.com/depenconf/ltidisafe-2.9.3.tgz — not from the npm registry. On npm install, npm fetches and installs that tarball and runs whatever lifecycle scripts and code it contains. The tarball is hosted on a third-party Google Cloud Storage bucket under a path (depenconf/) that explicitly suggests dependency-confusion tooling; its contents are mutable by the bucket owner, there is no integrity hash, no version pinning to a trusted registry, and no relation to any stated package purpose. This matches the canonical dependency-confusion off-registry-dropper pattern.

Source: ghsa-malware (d4629b915cdacf2c06a56d5bb43476aef698d2e2a827d15eeb303154454b105b)

Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Source: ossf-package-analysis (d4a2106922e9e3851658667cacaa2c2818cdb56cd0c4df6778c0cb7fbed2338e)

The OpenSSF Package Analysis project identified 'page-info-service' @ 99.9.1 (npm) as malicious.

It is considered malicious because:

  • The package communicates with a domain associated with malicious activity.
Database specific
{
    "malicious-packages-origins": [
        {
            "sha256": "d4a2106922e9e3851658667cacaa2c2818cdb56cd0c4df6778c0cb7fbed2338e",
            "import_time": "2026-06-02T11:33:40.237952626Z",
            "modified_time": "2026-06-02T11:30:35Z",
            "source": "ossf-package-analysis",
            "versions": [
                "99.9.1"
            ]
        },
        {
            "source": "amazon-inspector",
            "sha256": "9314c597c5023f198b20ebe47d09cf929d8e252e27f60928a3ab73dbe77de8cd",
            "import_time": "2026-06-09T17:45:50.427494025Z",
            "modified_time": "2026-06-09T17:24:49Z",
            "id": "IN-MAL-2026-005039",
            "versions": [
                "99.9.1"
            ]
        },
        {
            "source": "amazon-inspector",
            "sha256": "bdbe4cc5072cdaa733c65ed059bbb9a1b51dc29b51cfc3b2ce1fa7ab9ea662bd",
            "import_time": "2026-06-09T17:45:50.502405007Z",
            "modified_time": "2026-06-09T17:24:50Z",
            "id": "IN-MAL-2026-005040",
            "versions": [
                "99.9.1"
            ]
        },
        {
            "id": "GHSA-67v8-5gw6-m65g",
            "sha256": "d4629b915cdacf2c06a56d5bb43476aef698d2e2a827d15eeb303154454b105b",
            "modified_time": "2026-07-10T16:24:50Z",
            "ranges": [
                {
                    "type": "SEMVER",
                    "events": [
                        {
                            "introduced": "0"
                        }
                    ]
                }
            ],
            "source": "ghsa-malware",
            "import_time": "2026-07-10T16:54:13.226491954Z"
        }
    ]
}
References
Credits

Affected packages

npm / page-info-service

Package

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

99.*
99.9.1

Database specific

cwes
[
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
indicators
{
    "package_integrity": [
        {
            "filename": "page-info-service-99.9.1.tgz",
            "hashes": {
                "sha1": "b2447bc34ec327e1306b2901e1e9d08ff9a5f8aa",
                "sha512_sri": "sha512-bLXIBKBqcLQ55ZYKZFHloCIJVa5HB4NLKqBYR8JmdCYtHBrP8D4rH6yIlI8zXy7q5l+cEtKDi4FzzBSEtF6DXQ=="
            }
        }
    ],
    "evidence_files": [
        {
            "tlsh": "8ee0cd24496155334ec511b55c1f6557f3719e5f1405bd1d5beb041c418da7328f925c",
            "sha256": "708b716a7ea695a807e1db605f17615e5eae9ee149c4393ba98dc130c0d41cef",
            "path": "package.json"
        }
    ],
    "domains": [
        "2f686f6d652f7363616e.page-info-service.f4kze80w9llqd5p9o41u31q5swynobez3.oastify.com",
        "7363616e.page-info-service.f4kze80w9llqd5p9o41u31q5swynobez3.oastify.com",
        "7363616e2d343932303235386263356165.page-info-service.f4kze80w9llqd5p9o41u31q5swynobez3.oastify.com"
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/page-info-service/MAL-2026-5158.json"