MAL-2026-6989

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ag-charts-test/MAL-2026-6989.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-6989
Published
2026-07-08T16:24:17Z
Modified
2026-07-08T17:16:44.824863537Z
Summary
Malicious code in ag-charts-test (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (29c50b5a47dde18daf83760926662df3b9890de074cc00938de04892ac79a4d9)

ag-charts-test@99.9.1 is a hollow package (empty index.js, no scripts, no documented functionality) whose sole effect on installers is resolving its single dependency ltidisafe from a direct HTTPS tarball URL on a third-party Google Cloud Storage bucket (https://ltidi.storage.googleapis.com/depenconf/ltidisafe-3.1.9.tgz) rather than through the npm registry. On npm install, the tarball is fetched from that bucket and its contents — including any lifecycle scripts — execute on the installer's machine. The bucket owner can mutate the tarball at any time, so the executed bytes are attacker-controlled. The package name mimics the AG Charts / AG Grid namespace and the inflated 99.9.1 version, combined with the depenconf path segment on the bucket URL, is the canonical dependency-confusion shape (outbidding an internal ag-charts-* name to force resolution of the attacker's package into a private build). No legitimate purpose is documented and the package ships no code of its own.

Database specific
{
    "malicious-packages-origins": [
        {
            "sha256": "29c50b5a47dde18daf83760926662df3b9890de074cc00938de04892ac79a4d9",
            "id": "IN-MAL-2026-008096",
            "source": "amazon-inspector",
            "import_time": "2026-07-08T17:01:30.120527151Z",
            "modified_time": "2026-07-08T16:24:17Z",
            "versions": [
                "99.9.1"
            ]
        }
    ]
}
References
Credits

Affected packages

npm / ag-charts-test

Package

Affected ranges

Affected versions

99.*
99.9.1

Database specific

indicators
{
    "evidence_files": [
        {
            "path": "package.json",
            "tlsh": "a7e07d20892155334ec511b1881b6007f3708e4f0404bc0c5aeb042c448ea7338f925d",
            "sha256": "b375a3b59adf319149753ed5fbf51f3a491e124f7e82ea2002b0ed3f379a2f50"
        }
    ],
    "package_integrity": [
        {
            "filename": "ag-charts-test-99.9.1.tgz",
            "hashes": {
                "sha1": "8291e1bb88de2433081e284b8c15cf27c5da46b8",
                "sha512_sri": "sha512-PtNt39P4H6ZNrnbOqrLiZamRTJBQaRyG+LGiopEK1Q+TxwXFeYc+smy1CP7SLSmVC7p0zosjHRW6zy5jZquqww=="
            }
        }
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ag-charts-test/MAL-2026-6989.json"
cwes
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code"
    }
]