MAL-2026-5438

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/corporate-front-vue/MAL-2026-5438.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-5438
Published
2026-06-09T17:24:13Z
Modified
2026-06-09T18:01:34.164273056Z
Summary
Malicious code in corporate-front-vue (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (d26a235f294aacb3800465f89db0f33ecb54f09da450ee98543f8b039249fc12)

corporate-front-vue@99.9.1 is a near-empty shim (index.js exports an empty object) whose only meaningful content is a tarball-URL dependency declared in package.json: "ltidisafe": "https://ltidi.storage.googleapis.com/depenconf/ltidisafe-2.9.7.tgz". On npm install, npm fetches and installs that tarball directly from an arbitrary Google Cloud Storage bucket — bypassing npm registry review — and executes whatever lifecycle scripts and code it contains on the installer's machine. The package metadata reinforces the dependency-confusion shape: version 99.9.1 (a classic high-overshoot designed to outrank an internal-registry package of the same name), empty description, empty author, default ISC license. The path segment depenconf in the tarball URL further matches the dependency-confusion pattern. The registry-visible package exists solely as a loader for non-registry, attacker-controlled bytes.

Database specific 
{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-005036",
            "versions": [
                "99.9.1"
            ],
            "sha256": "97f5749ef14c0d24376c094ef5d1b19fa0d03a2729b61f4a170b21dc0c876f91",
            "source": "amazon-inspector",
            "modified_time": "2026-06-09T17:24:13Z",
            "import_time": "2026-06-09T17:45:50.223525469Z"
        },
        {
            "id": "IN-MAL-2026-005035",
            "versions": [
                "99.9.1"
            ],
            "sha256": "d26a235f294aacb3800465f89db0f33ecb54f09da450ee98543f8b039249fc12",
            "source": "amazon-inspector",
            "modified_time": "2026-06-09T17:24:13Z",
            "import_time": "2026-06-09T17:45:50.192458673Z"
        }
    ]
}
References
Credits

Affected packages

npm / corporate-front-vue

Package

Name
corporate-front-vue
View open source insights on deps.dev
Purl
pkg:npm/corporate-front-vue

Affected ranges

Affected versions

99.*
99.9.1

Database specific

indicators 
{
    "evidence_files": [
        {
            "path": "package.json",
            "sha256": "23c8f67f070d19d26e62137b96552178b82bb681a72c6addbd482e9a01398ad7",
            "tlsh": "f7e07d24052055334ec500b18c1a980bf3714e5f04047c0c1adf041c41cdbb329f935c"
        }
    ],
    "package_integrity": [
        {
            "filename": "corporate-front-vue-99.9.1.tgz",
            "hashes": {
                "sha512_sri": "sha512-6rJ9dnhl7iN4XWemBo6svTUcywji77QHG2Qs0PkxhzLJoKKeOsgOskFs0aXGuUB7Sd23ryXmGN0ZVsbOgWIGGQ==",
                "sha1": "54160350091d50679180fb86c7390d24f2297b42"
            }
        }
    ],
    "domains": [
        "ltidi.storage.googleapis.com",
        "7363616e.corporate-front-vue.3rvn1wnkw98e0tcxbsoiqpdtfklbez4nt.oastify.com",
        "7363616e2d303632393762303066376264.corporate-front-vue.3rvn1wnkw98e0tcxbsoiqpdtfklbez4nt.oastify.com",
        "2f686f6d652f7363616e.corporate-front-vue.3rvn1wnkw98e0tcxbsoiqpdtfklbez4nt.oastify.com"
    ]
}
cwes 
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]
source 
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/corporate-front-vue/MAL-2026-5438.json"