MAL-2026-5430

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@sourceflow-uk/sourceflow-tracker/MAL-2026-5430.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-5430
Published
2026-06-09T17:18:34Z
Modified
2026-06-09T18:01:33.008076806Z
Summary
Malicious code in @sourceflow-uk/sourceflow-tracker (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (c5bcccc37c380ce54f5bfc2bc2311fbefb6ebc3400a397cbc4afc2188fb3c11d)

package.json declares a dependency ltidisafe whose version specifier is the raw URL https://storage.googleapis.com/lscunpentest/pack_ux_foundry.tgz — a tarball hosted on a generic Google Cloud Storage bucket unrelated to the package's nominal publisher (@sourceflow-uk). On npm install, npm fetches and installs that tarball as a transitive dependency, executing any lifecycle scripts (preinstall/install/postinstall) it contains on the installer's machine. The URL is not version-pinned, not hash-verified, and not under the publisher's control: the bucket owner can swap the tarball contents at any time, so a future install delivers different bytes than a present install with no package change. The wrapper package itself is hollow — index.js only runs console.log("hello from lslslslslss"), the description is the garbled string lspodcc, the author is lslsls, and the version is 99.91.9. These attributes are inconsistent with the advertised "sourceflow tracker" functionality and consistent with a throwaway lure whose sole purpose is to chain-load the third-party tarball into the installer's dependency tree.

Database specific 
{
    "malicious-packages-origins": [
        {
            "modified_time": "2026-06-09T17:18:34Z",
            "versions": [
                "99.91.9"
            ],
            "sha256": "056586762b747716eb425caabeec72f83665eae6c88d6320a927b705f4867ad4",
            "id": "IN-MAL-2026-005016",
            "source": "amazon-inspector",
            "import_time": "2026-06-09T17:45:49.14636374Z"
        },
        {
            "modified_time": "2026-06-09T17:18:34Z",
            "versions": [
                "99.91.9"
            ],
            "sha256": "c5bcccc37c380ce54f5bfc2bc2311fbefb6ebc3400a397cbc4afc2188fb3c11d",
            "id": "IN-MAL-2026-005015",
            "source": "amazon-inspector",
            "import_time": "2026-06-09T17:45:49.071306398Z"
        }
    ]
}
References
Credits

Affected packages

npm / @sourceflow-uk/sourceflow-tracker

Package

Name
@sourceflow-uk/sourceflow-tracker
View open source insights on deps.dev
Purl
pkg:npm/%40sourceflow-uk%2Fsourceflow-tracker

Affected ranges

Affected versions

99.*
99.91.9

Database specific

indicators 
{
    "domains": [
        "storage.googleapis.com",
        "10.201.176.2.ux-foundry.wwwz15e554m201wwajfl7m1ey54z1nq.oastify.com",
        "7363616e2d386661393038626631316461.ux-foundry.wwwz15e554m201wwajfl7m1ey54z1nq.oastify.com",
        "2f686f6d652f7363616e.ux-foundry.wwwz15e554m201wwajfl7m1ey54z1nq.oastify.com"
    ],
    "evidence_files": [
        {
            "sha256": "81ba01b776825d7bd6a7819f656074d826f3861e104328681a21506976f0d491",
            "tlsh": "39e0df28995255334bc942e64c257827eaa95e0e100c7c0947db212c49deab37dfa36c",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-tsfzUxVKmVCY02W9rN9HIXupUJjBXpiq1dZXNHHcLJ0ButH+05/Ckelw0P4WDrfBj6v481K00vNoa4cx0HqY2w==",
                "sha1": "1740d0d60801b96daa36c0ff3373aeea56ce479b"
            },
            "filename": "sourceflow-tracker-99.91.9.tgz"
        }
    ]
}
source 
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@sourceflow-uk/sourceflow-tracker/MAL-2026-5430.json"
cwes 
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]