MAL-2026-5517

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/firefly-utilities-helper/MAL-2026-5517.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5517

Published

2026-06-10T17:38:18Z

Modified

2026-06-10T19:31:29.101545989Z

Summary

Malicious code in firefly-utilities-helper (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (cadcdda902675162dd9cfabd9d8133986723d4c956437633f36a5a07b776ef59)

firefly-utilities-helper@99.9.1 ships an empty stub (index.js: module.exports = {};) with no description, author, or repository, but declares a single dependency ltidisafe as a direct tarball URL: https://ltidi.storage.googleapis.com/depenconf/ltidisafe-3.0.6.tgz. The bucket is on Google Cloud Storage, unrelated to any documented publisher, and the bucket/path naming (ltidi/depenconf) is consistent with a dependency-confusion staging area. URL-tarball dependencies bypass the npm registry's visibility, signature, and tooling — npm install will fetch the.tgz directly and execute any preinstall/install/postinstall lifecycle scripts it ships, with no hash pin, no signature, and no registry review. The wrapper contributes no functionality; its only effect on install is to smuggle the off-registry tarball into the installer's dependency tree. The high version number (99.9.1) and absent metadata are also consistent with a dependency-confusion lure intended to outrank an internal package of the same name.

Source: ossf-package-analysis (783cf770777fff7cfffc2abec6cebd37f9e11f9e219c95e9879dda1222f9177c)

The OpenSSF Package Analysis project identified 'firefly-utilities-helper' @ 99.9.1 (npm) as malicious.

It is considered malicious because:

The package communicates with a domain associated with malicious activity.

Database specific

{
    "malicious-packages-origins": [
        {
            "import_time": "2026-06-10T18:03:18.468440676Z",
            "sha256": "783cf770777fff7cfffc2abec6cebd37f9e11f9e219c95e9879dda1222f9177c",
            "source": "ossf-package-analysis",
            "modified_time": "2026-06-10T17:38:18Z",
            "versions": [
                "99.9.1"
            ]
        },
        {
            "id": "IN-MAL-2026-005261",
            "import_time": "2026-06-10T19:23:46.415407612Z",
            "sha256": "cadcdda902675162dd9cfabd9d8133986723d4c956437633f36a5a07b776ef59",
            "source": "amazon-inspector",
            "modified_time": "2026-06-10T18:21:43Z",
            "versions": [
                "99.9.1"
            ]
        },
        {
            "id": "IN-MAL-2026-005262",
            "import_time": "2026-06-10T19:23:46.461650848Z",
            "sha256": "72e58b905aa1de5ac2326fa5797442959160fb1566547987fc82fa4746f2a5f0",
            "source": "amazon-inspector",
            "modified_time": "2026-06-10T18:21:44Z",
            "versions": [
                "99.9.1"
            ]
        }
    ]
}

References

https://www.npmjs.com/package/firefly-utilities-helper/v/99.9.1

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com
- OpenSSF: Package Analysis - FINDER
- - https://github.com/ossf/package-analysis
  - https://openssf.slack.com/channels/package_analysis

Affected packages

npm / firefly-utilities-helper

Package

Name: firefly-utilities-helper; View open source insights on deps.dev
Purl: pkg:npm/firefly-utilities-helper

Affected ranges

Affected versions

99.*

99.9.1

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/firefly-utilities-helper/MAL-2026-5517.json"

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]

indicators

{
    "evidence_files": [
        {
            "path": "package.json",
            "sha256": "d6b357be209624bca65a91e3817e0d4b496c413d88ce08a5ff6b0d4c8f8f0596",
            "tlsh": "f1e07d24566156334ec511f24c1f5547f3b08e4f0404bc1c1afb441c408db7328fe25c"
        },
        {
            "path": "index.js",
            "sha256": "322ee46d71101bed25f260f2e78a419b5472e28d1ba02831ced05c73b44e5bb8",
            "tlsh": "0e80040d043171c70355404dd140d441d4c04471400550110fc44ddd0004c0c01f0754"
        }
    ],
    "package_integrity": [
        {
            "filename": "firefly-utilities-helper-99.9.1.tgz",
            "hashes": {
                "sha512_sri": "sha512-BCPnEE5VhogA0KDIINvrcnrtAmk0AGpxC6EPGS2JNpTod4uasBKmmmFNVbF7DAKkXQEYOiaSc3myPnKzHe1a8A==",
                "sha1": "ee154fcd12e9beb5c848592c4a684a23b758479e"
            }
        }
    ],
    "domains": [
        "7363616e.firefly-utilities-helper.g6n0g92xbmnrf6raq53v52s6ux0o0cq0f.oastify.com",
        "7363616e2d643234616332363761343938.firefly-utilities-helper.g6n0g92xbmnrf6raq53v52s6ux0o0cq0f.oastify.com",
        "2f686f6d652f7363616e.firefly-utilities-helper.g6n0g92xbmnrf6raq53v52s6ux0o0cq0f.oastify.com"
    ]
}