MAL-2026-5767

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ltidiconf/MAL-2026-5767.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-5767
Aliases
  • GHSA-qv73-635h-wqmp
Published
2026-06-14T09:54:09Z
Modified
2026-07-10T17:02:01.600765356Z
Summary
Malicious code in ltidiconf (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (a4ca306052ea5224831743daec9d3944fadff8cb4a7211e980be7669a739d00d)

ltidiconf@99.9.1 is an empty wrapper package (index.js is module.exports = {};, empty author/description, inflated 99.9.1 version) whose sole effect on install is to pull a single dependency declared as a direct tarball URL: "ltidisafe": "https://ltidi.storage.googleapis.com/depenconf/ltidisafe-3.0.8.tgz". The bytes at that GCS bucket are mutable, unpinned, and not integrity-hashed; the bucket owner can swap the tarball at any time, and whatever code is in it executes at npm install time and on require. The wrapper has no functional content of its own, the bucket path literally contains the string depenconf, and the 99.9.1 version is the canonical shape of a dependency-confusion squat designed to shadow an internal package name and drop arbitrary attacker-controlled code into the installer's environment.

Source: ghsa-malware (b949b5a457e726a907fa5e6b27ac585521202e3138218191b3bfe2945ecb39ff)

Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Source: ossf-package-analysis (82f07d72efb0234c99f1db77fa557334d2cf010cd0a7020e470d6e72518c0a5d)

The OpenSSF Package Analysis project identified 'ltidiconf' @ 99.9.1 (npm) as malicious.

It is considered malicious because:

  • The package communicates with a domain associated with malicious activity.
Database specific
{
    "malicious-packages-origins": [
        {
            "sha256": "82f07d72efb0234c99f1db77fa557334d2cf010cd0a7020e470d6e72518c0a5d",
            "versions": [
                "99.9.1"
            ],
            "import_time": "2026-06-14T10:35:35.647537799Z",
            "source": "ossf-package-analysis",
            "modified_time": "2026-06-14T09:54:09Z"
        },
        {
            "modified_time": "2026-06-15T15:10:50Z",
            "sha256": "d23bfcabd08f1f3edd2a8e962bb0fe97b93785acbe3b05387f896131096b1a2a",
            "versions": [
                "99.9.1"
            ],
            "import_time": "2026-06-15T15:30:23.145460417Z",
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-006495"
        },
        {
            "modified_time": "2026-06-15T15:10:49Z",
            "sha256": "a4ca306052ea5224831743daec9d3944fadff8cb4a7211e980be7669a739d00d",
            "versions": [
                "99.9.1"
            ],
            "import_time": "2026-06-15T15:30:23.033169264Z",
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-006494"
        },
        {
            "modified_time": "2026-07-10T16:24:51Z",
            "sha256": "b949b5a457e726a907fa5e6b27ac585521202e3138218191b3bfe2945ecb39ff",
            "import_time": "2026-07-10T16:54:13.284431097Z",
            "ranges": [
                {
                    "type": "SEMVER",
                    "events": [
                        {
                            "introduced": "0"
                        }
                    ]
                }
            ],
            "source": "ghsa-malware",
            "id": "GHSA-qv73-635h-wqmp"
        }
    ]
}
References
Credits

Affected packages

npm / ltidiconf

Package

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

99.*
99.9.1

Database specific

cwes
[
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
indicators
{
    "package_integrity": [
        {
            "filename": "ltidiconf-99.9.1.tgz",
            "hashes": {
                "sha1": "72e736d4a74c4acb90055a11072b98a4e1ed5520",
                "sha512_sri": "sha512-/SIpygfPax1YLY0WdK4DOliRK/eHvHNwMYnuoQRkzGvVTeHpYhhs4v9Dfr9xRSeE5mJ816lTMJ3KOJvA0Ip6dQ=="
            }
        }
    ],
    "evidence_files": [
        {
            "tlsh": "89e0c2244a656a334eda11b2486b655bf3718e9f0808bc1cabdf042c45edbb368f935c",
            "sha256": "5bcd53d105dc8824e8fc7ec8902d98a569065fc039ca4b61a72a73a237db18cd",
            "path": "package.json"
        },
        {
            "tlsh": "0e80040d043171c70355404dd140d441d4c04471400550110fc44ddd0004c0c01f0754",
            "sha256": "322ee46d71101bed25f260f2e78a419b5472e28d1ba02831ced05c73b44e5bb8",
            "path": "index.js"
        }
    ],
    "ips": [
        "54.77.139.23",
        "3.248.33.252",
        "172.253.62.207"
    ],
    "domains": [
        "ltidi.storage.googleapis.com",
        "7363616e.ltidiconf.9lvadgr230soiphkf5c2nobxvo1gp6dv.oastify.com",
        "7363616e2d366233333065356337333938.ltidiconf.9lvadgr230soiphkf5c2nobxvo1gp6dv.oastify.com",
        "2f686f6d652f7363616e.ltidiconf.9lvadgr230soiphkf5c2nobxvo1gp6dv.oastify.com"
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ltidiconf/MAL-2026-5767.json"