MAL-2026-6546

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ryan-pdf-js/MAL-2026-6546.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-6546

Published

2026-06-27T14:21:07Z

Modified

2026-06-27T14:46:40.790893542Z

Summary

Malicious code in ryan-pdf-js (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (c3d966501b5f533318c26b54887cd29b3cd6c9495035a0f74519ba349357e3eb)

ryan-pdf-js@99.9.1 is an empty stub package (index.js exports {}) whose sole purpose is to deliver an off-registry payload at install time. Its package.json declares its only dependency, ltidisafe, as a direct HTTPS tarball URL on a generic Google Cloud Storage bucket (https://ltidi.storage.googleapis.com/depenconf/ltidisafe-3.1.1.tgz) rather than a registry name, bypassing npm registry scanning. On npm install, npm fetches and unpacks that tarball, and any lifecycle scripts it contains execute on the installer's machine. The bucket path depenconf/ is consistent with dependency-confusion staging, and the package name evokes the widely-used pdf.js ecosystem while shipping no real implementation — a typosquat-shaped lure whose only effect is to route installs through the off-registry dropper.

Database specific

{
    "malicious-packages-origins": [
        {
            "versions": [
                "99.9.1"
            ],
            "source": "amazon-inspector",
            "modified_time": "2026-06-27T14:21:07Z",
            "sha256": "c3d966501b5f533318c26b54887cd29b3cd6c9495035a0f74519ba349357e3eb",
            "id": "IN-MAL-2026-007677",
            "ranges": [
                {
                    "type": "SEMVER",
                    "events": [
                        {
                            "introduced": "0"
                        }
                    ]
                }
            ],
            "import_time": "2026-06-27T14:36:43.600830137Z"
        }
    ]
}

References

https://www.npmjs.com/package/ryan-pdf-js/v/99.9.1

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / ryan-pdf-js

Package

Name: ryan-pdf-js; View open source insights on deps.dev
Purl: pkg:npm/ryan-pdf-js

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

99.*

99.9.1

Database specific

cwes

[
    {
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code"
    }
]

indicators

{
    "package_integrity": [
        {
            "filename": "ryan-pdf-js-99.9.1.tgz",
            "hashes": {
                "sha512_sri": "sha512-0uFMmZv7jxMGXj4vzf1NYMEjZilYrpLC6whYMzEYfsXietGON110GQi9kgsCRd7zXRowxH6DesUFqYVJ+GXbvw==",
                "sha1": "08d81cc0838beba89f4eb2285e9ac932dc6ed88b"
            }
        }
    ],
    "evidence_files": [
        {
            "path": "package.json",
            "tlsh": "1ae072204a206a330ec601f2882a614bf3718e5f0408bc0c2bdb082c408ea7328fa29c",
            "sha256": "f2c727945460674250f5dff3b64258a5aa011c06a0009ec11eebbb04a1298819"
        },
        {
            "path": "index.js",
            "tlsh": "0e80040d043171c70355404dd140d441d4c04471400550110fc44ddd0004c0c01f0754",
            "sha256": "322ee46d71101bed25f260f2e78a419b5472e28d1ba02831ced05c73b44e5bb8"
        }
    ]
}

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ryan-pdf-js/MAL-2026-6546.json"