MAL-2026-5431

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@webd-infra/query-designer-domain/MAL-2026-5431.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5431

Published

2026-06-09T17:25:32Z

Modified

2026-06-09T18:01:33.069016145Z

Summary

Malicious code in @webd-infra/query-designer-domain (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (1c7713f23c6a0044172532693bc43aee0d785a980fc5c83ba1f773af9082e3b3)

The package's package.json declares its only dependency ltidisafe as a direct tarball URL: https://ltidi.storage.googleapis.com/depenconf/ltidisafe-2.8.3.tgz. On npm install, npm fetches this tarball from a Google Cloud Storage bucket (not the npm registry) and runs whatever lifecycle scripts it contains. The bucket owner — not an npm publisher with registry-side accountability — controls exactly which bytes get executed, and the tarball contents at that URL can change at any time. Supporting indicators: the package has empty author and description fields, the version 99.9.1 is the canonical dependency-confusion sentinel used in research/PoC packages, and the bucket path segment is the literal string depenconf. The package itself ships no other runtime code — its sole effect on installers is resolving and executing this off-registry tarball.

Database specific

{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-005048",
            "versions": [
                "99.9.1"
            ],
            "sha256": "09de5dd8298cd731b0a421ff015b7830918c5d8d5ac3fe29378ecf042596832a",
            "source": "amazon-inspector",
            "modified_time": "2026-06-09T17:25:33Z",
            "import_time": "2026-06-09T17:45:51.114960014Z"
        },
        {
            "id": "IN-MAL-2026-005047",
            "versions": [
                "99.9.1"
            ],
            "sha256": "1c7713f23c6a0044172532693bc43aee0d785a980fc5c83ba1f773af9082e3b3",
            "source": "amazon-inspector",
            "modified_time": "2026-06-09T17:25:32Z",
            "import_time": "2026-06-09T17:45:51.050413079Z"
        }
    ]
}

References

https://www.npmjs.com/package/@webd-infra/query-designer-domain/v/99.9.1

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / @webd-infra/query-designer-domain

Package

Name: @webd-infra/query-designer-domain; View open source insights on deps.dev
Purl: pkg:npm/%40webd-infra%2Fquery-designer-domain

Affected ranges

Affected versions

99.*

99.9.1

Database specific

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]

indicators

{
    "evidence_files": [
        {
            "path": "package.json",
            "sha256": "3ae8f7903240a19b8193ce6ecd9e63a314cdfd1a86c1315b8ba5b3448ac196f3",
            "tlsh": "d9e026244a2065334ad601f5881b9157b3b18e5f0804bc0c5beb041c918da7328f925c"
        }
    ],
    "package_integrity": [
        {
            "filename": "query-designer-domain-99.9.1.tgz",
            "hashes": {
                "sha512_sri": "sha512-aaOum6tRT6BHeKcyUz03E+DtgDerhG5OmIV1gocxYzyfCXFULY8IMqkD8HBcA3pFvKvD5v7Fd87sBXzb73Gztg==",
                "sha1": "b44f0b9666a46ec1e3046196b252d41adec5899f"
            }
        }
    ],
    "domains": [
        "2f686f6d652f7363616e.webd-infra.q7yahj37cwo1ggskrf456ctgv716pwdl.oastify.com",
        "ltidi.storage.googleapis.com",
        "7363616e.webd-infra.q7yahj37cwo1ggskrf456ctgv716pwdl.oastify.com",
        "7363616e2d373962383761363130383137.webd-infra.q7yahj37cwo1ggskrf456ctgv716pwdl.oastify.com"
    ]
}

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@webd-infra/query-designer-domain/MAL-2026-5431.json"