MAL-2026-5453

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/tivo-codelib-a/MAL-2026-5453.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-5453
Published
2026-06-09T17:27:44Z
Modified
2026-06-09T18:01:37.870010693Z
Summary
Malicious code in tivo-codelib-a (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (2c187e845e4c0d637709021a287c758e0206cb7adc46517391df4724d8af8cb7)

tivo-codelib-a@99.9.1 is an empty-stub npm package whose index.js exports module.exports = {} and whose package metadata (description, author) is blank. Its only effect on installers is its sole runtime dependency, which is declared in package.json as a direct HTTPS URL rather than a registry version: "ltidisafe": "https://ltidi.storage.googleapis.com/depenconf/ltidisafe-2.8.1.tgz". On npm install, npm fetches that tarball from a Google Cloud Storage bucket (ltidi.storage.googleapis.com/depenconf/) that does not correspond to any reputable publisher, installs it into the consumer's node_modules, and runs any lifecycle scripts it contains. The URL is not hash-pinned, so the bucket owner can swap the tarball contents at any time and ship arbitrary code to every installer. The package name pattern (-codelib-a), the unusually high version (99.9.1), the empty metadata, and the off-registry GCS dependency together match the dependency-confusion smuggler/loader shape: a hollow lure whose install resolves to attacker-controlled code hosted outside the registry.

Database specific 
{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-005053",
            "versions": [
                "99.9.1"
            ],
            "sha256": "2c187e845e4c0d637709021a287c758e0206cb7adc46517391df4724d8af8cb7",
            "source": "amazon-inspector",
            "modified_time": "2026-06-09T17:27:44Z",
            "import_time": "2026-06-09T17:45:51.459907891Z"
        },
        {
            "id": "IN-MAL-2026-005054",
            "versions": [
                "99.9.1"
            ],
            "sha256": "57c9d90cd89beaed446ec71eacbe7fd7230972ebf844bd58a3199c2e4dbf3ed9",
            "source": "amazon-inspector",
            "modified_time": "2026-06-09T17:27:44Z",
            "import_time": "2026-06-09T17:45:51.510031173Z"
        }
    ]
}
References
Credits

Affected packages

npm / tivo-codelib-a

Package

Name
tivo-codelib-a
View open source insights on deps.dev
Purl
pkg:npm/tivo-codelib-a

Affected ranges

Affected versions

99.*
99.9.1

Database specific

cwes 
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]
indicators 
{
    "evidence_files": [
        {
            "path": "package.json",
            "sha256": "e07d0700632dcbcb87e7ef7a1af059c922c045065ec260cc3868c177a6f7099e",
            "tlsh": "68e072204a21a6331fc500f24c2aa54bf3b08e9f0808bc0c1eeb081c808df7328f926d"
        },
        {
            "path": "index.js",
            "sha256": "322ee46d71101bed25f260f2e78a419b5472e28d1ba02831ced05c73b44e5bb8",
            "tlsh": "0e80040d043171c70355404dd140d441d4c04471400550110fc44ddd0004c0c01f0754"
        }
    ],
    "package_integrity": [
        {
            "filename": "tivo-codelib-a-99.9.1.tgz",
            "hashes": {
                "sha512_sri": "sha512-Ab0qWS1glZZj6C5KUxHeJ5ORSrPAvtiEjMmXaesTTo96PkKESDlrk2Sjh9OUQgz8TGOJZa4hyuJodbzJTkJuIQ==",
                "sha1": "fbcd2f7e47a62d5254dd94ea8bd9e80fed2cf980"
            }
        }
    ],
    "domains": [
        "ltidi.storage.googleapis.com",
        "7363616e.tivo-codelib-a.165lgu2ib7ncfrrvqq3g5nsrui0eo4ct.oastify.com",
        "7363616e2d633832343432663362343336.tivo-codelib-a.165lgu2ib7ncfrrvqq3g5nsrui0eo4ct.oastify.com",
        "2f686f6d652f7363616e.tivo-codelib-a.165lgu2ib7ncfrrvqq3g5nsrui0eo4ct.oastify.com"
    ]
}
source 
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/tivo-codelib-a/MAL-2026-5453.json"