MAL-2026-5446
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/housecall-ui/MAL-2026-5446.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-5446
- Published
- 2026-06-09T17:23:49Z
- Modified
- 2026-06-09T18:01:36.363048286Z
- Summary
- Malicious code in housecall-ui (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (67e32f5c0c623ab57ac1de78fb5e118394d96f79b760af74d4127f775a0a97fe)
housecall-ui@99.9.1 is a hollow npm package (empty description, empty author, index.js exports an empty object) whose sole runtime dependency is declared as an HTTPS tarball URL pointing at a third-party Google Cloud Storage bucket:
"ltidisafe": "https://ltidi.storage.googleapis.com/depenconf/ltidisafe-2.9.8.tgz"(package.json line 10). Onnpm install, npm fetches whatever bytes currently reside at that GCS URL and executes any lifecycle scripts (preinstall/install/postinstall) inside the resulting tarball. The bucket is not the npm registry, is not a documented publisher infrastructure for any vendor, is unpinned by hash, and is mutable by whoever controls it — meaning the installer cannot audit or guarantee what code will run. The package's name is brand-adjacent to HouseCall Pro and the version is artificially inflated to 99.9.1, the canonical pattern of a dependency-confusion lure designed to outrank an internal private package of the same name in mixed-resolution environments. The surrounding package contributes no functionality; its only effect on install is to sideloadltidisafefrom attacker-mutable infrastructure. - Database specific
{ "malicious-packages-origins": [ { "id": "IN-MAL-2026-005029", "versions": [ "99.9.1" ], "sha256": "67e32f5c0c623ab57ac1de78fb5e118394d96f79b760af74d4127f775a0a97fe", "source": "amazon-inspector", "modified_time": "2026-06-09T17:23:49Z", "import_time": "2026-06-09T17:45:49.938772563Z" }, { "id": "IN-MAL-2026-005030", "versions": [ "99.9.1" ], "sha256": "fac4b593cce0ccef6f616ac18250600b6692702eedba77bff01a290e1c07b2fa", "source": "amazon-inspector", "modified_time": "2026-06-09T17:23:50Z", "import_time": "2026-06-09T17:45:49.968550722Z" } ] }- References
- Credits
-
-
- Amazon Inspector - FINDER
-
Affected packages
npm / housecall-ui
Package
- Name
- housecall-ui
- View open source insights on deps.dev
- Purl
- pkg:npm/housecall-ui
Database specific
cwes
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]
indicators
{
"evidence_files": [
{
"path": "package.json",
"sha256": "c8e4a2ad0cc83989c83d3608a8278cecfcb4a1781ebfa8015f1726f342b8cec6",
"tlsh": "8ae0c2644a71a6334ec512b2882b955bf3b18e5f1808bc1c9bef041c858da7378f929d"
}
],
"package_integrity": [
{
"filename": "housecall-ui-99.9.1.tgz",
"hashes": {
"sha512_sri": "sha512-QXOff8RxAI/bni1zQ40iE40xMssmt9RPy9Gget2PjyDfe5/8DcaPMvy/3K/GOZKa/LaH9XbmsKG/xRu5fsn18g==",
"sha1": "03cf7565d035829ea41193d87f51a4d8fa35aa81"
}
}
],
"domains": [
"ltidi.storage.googleapis.com",
"7363616e2d666362633435376165666363.housecall-ui.w74ghp3dc2o7gmsqrl4b6itmvd14vslga.oastify.com",
"7363616e.housecall-ui.w74ghp3dc2o7gmsqrl4b6itmvd14vslga.oastify.com",
"2f686f6d652f7363616e.housecall-ui.w74ghp3dc2o7gmsqrl4b6itmvd14vslga.oastify.com"
]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/housecall-ui/MAL-2026-5446.json"