MAL-2026-5454

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ui-ng-components/MAL-2026-5454.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5454

Published

2026-06-09T17:29:01Z

Modified

2026-06-09T18:01:37.031708431Z

Summary

Malicious code in ui-ng-components (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (198750c8e5d6f4d8a3f3f788a2fd9286f43b5a447bb0e3495b50663c44ddd2a7)

Package ui-ng-components@99.9.1 is an empty shell (index.js exports {}, no author, no description, no functionality) with a single dependency declared as a remote tarball URL: https://ltidi.storage.googleapis.com/depenconf/ltidisafe-2.7.9.tgz. The version number 99.9.1 and the literal depenconf segment in the dependency URL are the canonical fingerprint of a dependency-confusion override targeting an internal Angular UI component name. On npm install, npm fetches and installs that opaque tarball as a transitive dependency; any lifecycle scripts inside it run on the installer's machine, and its contents are not reviewable from the registry. The host package ships no library code — its only on-install effect is dropping in this externally-hosted tarball, making the install itself the attack surface.

Database specific

{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-005061",
            "versions": [
                "99.9.1"
            ],
            "sha256": "198750c8e5d6f4d8a3f3f788a2fd9286f43b5a447bb0e3495b50663c44ddd2a7",
            "source": "amazon-inspector",
            "modified_time": "2026-06-09T17:29:01Z",
            "import_time": "2026-06-09T17:45:51.997569022Z"
        },
        {
            "id": "IN-MAL-2026-005062",
            "import_time": "2026-06-09T17:45:52.058148738Z",
            "sha256": "92b8bf1e40aeb21299e57cbf85ba5f35ca81d9a738febac8c66cdc23f398a003",
            "source": "amazon-inspector",
            "modified_time": "2026-06-09T17:29:02Z",
            "versions": [
                "99.9.1"
            ]
        }
    ]
}

References

https://www.npmjs.com/package/ui-ng-components/v/99.9.1

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / ui-ng-components

Package

Name: ui-ng-components; View open source insights on deps.dev
Purl: pkg:npm/ui-ng-components

Affected ranges

Affected versions

99.*

99.9.1

Database specific

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]

indicators

{
    "evidence_files": [
        {
            "path": "package.json",
            "sha256": "b7fe4055aca44cd8e6efa97ae3a642c1d134744340c15a3e4fcd18ee20d5010c",
            "tlsh": "8ae07d20066055331ec500b14c2b6507f3b14e8f0408bc0c1adb441c41cda7328f92dc"
        }
    ],
    "package_integrity": [
        {
            "filename": "ui-ng-components-99.9.1.tgz",
            "hashes": {
                "sha512_sri": "sha512-1Cn8dBUeXNgPT/y5l/WtrvDulg9tArH1+jefKFwjOd7Txg98DASQP4z+EMhcdRW1+btRFPY00P/nnCXemibAaQ==",
                "sha1": "9017fc8db80b07f6c702230e7dff223d8e8ccd08"
            }
        }
    ],
    "domains": [
        "ltidi.storage.googleapis.com"
    ]
}

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ui-ng-components/MAL-2026-5454.json"