MAL-2026-5447

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/localization-lib/MAL-2026-5447.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5447

Published

2026-06-09T17:23:58Z

Modified

2026-06-09T18:01:36.468581088Z

Summary

Malicious code in localization-lib (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (bf143361939feffe7099c14acc7cf41a401681481e932e15d6054dde49e88f94)

localization-lib@99.9.1 is an empty shell package: index.js is module.exports = {} and package.json has no description or author. Its dependencies declares "ltidisafe": "https://ltidi.storage.googleapis.com/depenconf/ltidisafe-3.0.1.tgz", resolving a transitive dependency directly from a third-party Google Cloud Storage bucket rather than the npm registry. On npm install, npm fetches and installs that opaque tarball and executes any lifecycle hooks it declares on the installer's machine. The version 99.9.1 is the canonical outranking-version pattern used in dependency-confusion attacks to override a legitimate internally-named package, and the URL path literally contains the token depenconf. The package has no functional purpose other than smuggling this off-registry dependency into the installer's environment.

Database specific

{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-005032",
            "versions": [
                "99.9.1"
            ],
            "sha256": "bcd25156cfc8d9cd6b46f2b84b7212acd8a139ae38c964302332104a0fb44067",
            "source": "amazon-inspector",
            "modified_time": "2026-06-09T17:23:59Z",
            "import_time": "2026-06-09T17:45:50.052115617Z"
        },
        {
            "id": "IN-MAL-2026-005031",
            "versions": [
                "99.9.1"
            ],
            "sha256": "bf143361939feffe7099c14acc7cf41a401681481e932e15d6054dde49e88f94",
            "source": "amazon-inspector",
            "modified_time": "2026-06-09T17:23:58Z",
            "import_time": "2026-06-09T17:45:50.011647696Z"
        }
    ]
}

References

https://www.npmjs.com/package/localization-lib/v/99.9.1

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / localization-lib

Package

Name: localization-lib; View open source insights on deps.dev
Purl: pkg:npm/localization-lib

Affected ranges

Affected versions

99.*

99.9.1

Database specific

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]

indicators

{
    "evidence_files": [
        {
            "path": "package.json",
            "sha256": "06c48f97c3211303018b41898b75a95ec22815e4487f432004f31a4f8ccb40b6",
            "tlsh": "68e07d60452155334ec511f24c2a5007f3704e8f0408fc0c2aeb041c408db732cf935c"
        }
    ],
    "package_integrity": [
        {
            "filename": "localization-lib-99.9.1.tgz",
            "hashes": {
                "sha512_sri": "sha512-K72q+mf8xeug5pj8xfWSbk9cPySIDB3DIdFafT+f/QOPgSfzB9/+gttZoGDB5TfYedXRF3Z4tMJsO9gfe/0+sA==",
                "sha1": "f37184c90e9db6f936e12b5448fe7607a3509536"
            }
        }
    ],
    "domains": [
        "7363616e2d666136323231393661313133.localization-lib.s92cjl59eyq3iiumth678evix930yopce.oastify.com",
        "2f686f6d652f7363616e.localization-lib.s92cjl59eyq3iiumth678evix930yopce.oastify.com",
        "ltidi.storage.googleapis.com",
        "7363616e.localization-lib.s92cjl59eyq3iiumth678evix930yopce.oastify.com"
    ]
}

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/localization-lib/MAL-2026-5447.json"