MAL-2026-5451

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/privacy-sdk/MAL-2026-5451.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-5451
Published
2026-06-09T17:25:01Z
Modified
2026-06-09T18:01:37.587953003Z
Summary
Malicious code in privacy-sdk (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (5c92b5d6dae289f8667ca24f2a941473b65e560f6937874f68ff26ed24d58969)

privacy-sdk@99.9.1 is a hollow wrapper (index.js is module.exports = {}, blank description, blank author) whose sole runtime dependency is declared as a raw tarball URL: "ltidisafe": "https://ltidi.storage.googleapis.com/depenconf/ltidisafe-2.8.9.tgz". On npm install privacy-sdk, npm fetches that tarball directly from the GCS bucket — bypassing the npm registry's publication, audit, and integrity-hash mechanisms — and installs it, executing any lifecycle scripts (preinstall/install/postinstall) bundled inside. The bucket and depenconf path do not correspond to any identifiable publisher, the URL has no integrity field, and the bytes at that URL are mutable by whoever controls the bucket. The version 99.9.1 is the canonical high-version dependency-confusion pattern used to outrank an organization's internal privacy-sdk package, and the generic name compounds that risk. The package has no advertised functionality of its own; its only effect on install is to deliver attacker-controlled code into the installer's environment via the smuggled tarball.

Database specific 
{
    "malicious-packages-origins": [
        {
            "modified_time": "2026-06-09T17:25:01Z",
            "versions": [
                "99.9.1"
            ],
            "sha256": "3fde8996f6e327af3c05557575254a0ded23e8f31a7b4f5219e1c26615ec3a28",
            "id": "IN-MAL-2026-005042",
            "source": "amazon-inspector",
            "import_time": "2026-06-09T17:45:50.591544256Z"
        },
        {
            "import_time": "2026-06-09T17:45:50.560889867Z",
            "versions": [
                "99.9.1"
            ],
            "sha256": "5c92b5d6dae289f8667ca24f2a941473b65e560f6937874f68ff26ed24d58969",
            "id": "IN-MAL-2026-005041",
            "source": "amazon-inspector",
            "modified_time": "2026-06-09T17:25:01Z"
        }
    ]
}
References
Credits

Affected packages

npm / privacy-sdk

Package

Name
privacy-sdk
View open source insights on deps.dev
Purl
pkg:npm/privacy-sdk

Affected ranges

Affected versions

99.*
99.9.1

Database specific

indicators 
{
    "evidence_files": [
        {
            "sha256": "1761384280743dbd6b1964cd8fee23c3740fdd7a9509232bb74883c63b5fa489",
            "tlsh": "d1e0c2244a6166334ec511b68d2b955bf3b18e5f0418bc1c5aef541c819db7368f92ac",
            "path": "package.json"
        }
    ],
    "domains": [
        "ltidi.storage.googleapis.com",
        "7363616e.privacy-sdk.i9s2jb5zeoqti8uct76x84v8xz33rtfi.oastify.com",
        "7363616e2d643837343166643330386637.privacy-sdk.i9s2jb5zeoqti8uct76x84v8xz33rtfi.oastify.com",
        "2f686f6d652f7363616e.privacy-sdk.i9s2jb5zeoqti8uct76x84v8xz33rtfi.oastify.com"
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-+8LtG96To0e2xuVYVpZ1Uamr6HSyD2lpCytHaIF/jesaqwmz0dz5FbXVRKtmejnpJuimaDOhlX5EP8ktuXh3/w==",
                "sha1": "99e4aff3131fc2018b7cc95969c8d0d3398fc3bc"
            },
            "filename": "privacy-sdk-99.9.1.tgz"
        }
    ]
}
source 
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/privacy-sdk/MAL-2026-5451.json"
cwes 
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]