MAL-2026-6992

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/babel-eslint-parser-legacy/MAL-2026-6992.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-6992
Published
2026-07-08T16:24:28Z
Modified
2026-07-08T17:16:45.280269476Z
Summary
Malicious code in babel-eslint-parser-legacy (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (85a6f04cbf0697b6ae409fb9e5ad0e25812dac6a2f43bd95722f1903ee2f71f7)

Package name babel-eslint-parser-legacy is a one-suffix confusion against the legitimate babel-eslint-parser. The package's own main is an empty stub, so it provides no functionality of its own. Its package.json declares a single runtime dependency ltidisafe pointing at a direct HTTPS tarball URL — https://ltidi.storage.googleapis.com/depenconf/ltidisafe-3.1.8.tgz — hosted on a Google Cloud Storage bucket unaffiliated with Babel and outside the npm registry. On npm install, npm fetches and installs the contents of that tarball into the installer's node_modules, executing any lifecycle scripts it declares. The tarball bytes are attacker-mutable (the bucket owner can swap contents at any time), are not subject to npm registry scanning, and are not pinned by integrity hash in the manifest. The typosquat name is the lure; the external-URL dependency is the smuggling vector for arbitrary attacker-controlled code into the installer's dependency tree.

Database specific
{
    "malicious-packages-origins": [
        {
            "sha256": "85a6f04cbf0697b6ae409fb9e5ad0e25812dac6a2f43bd95722f1903ee2f71f7",
            "id": "IN-MAL-2026-008097",
            "source": "amazon-inspector",
            "import_time": "2026-07-08T17:01:30.240793308Z",
            "modified_time": "2026-07-08T16:24:28Z",
            "versions": [
                "99.9.1"
            ]
        }
    ]
}
References
Credits

Affected packages

npm / babel-eslint-parser-legacy

Package

Name
babel-eslint-parser-legacy
View open source insights on deps.dev
Purl
pkg:npm/babel-eslint-parser-legacy

Affected ranges

Affected versions

99.*
99.9.1

Database specific

indicators
{
    "evidence_files": [
        {
            "path": "package.json",
            "tlsh": "0ae02620466165738ec500b64c6f6147f3704e4e0448bc0c5b9b041c448da7368f925c",
            "sha256": "eadcd5da681df03db0ab42fe55bffdf7c324b795e3d7e762ff8062d4833deb39"
        }
    ],
    "package_integrity": [
        {
            "filename": "babel-eslint-parser-legacy-99.9.1.tgz",
            "hashes": {
                "sha1": "5984ad45cf7fd16f840f3d8e503e34ce6e966dd9",
                "sha512_sri": "sha512-WbPHh6YHFooROfFWP2x4SseXUBuzaXJmteMA90xSdiux/bbsZ7phk8Ji96I0VQgucEj9lzbtGBhg58FApgrmwQ=="
            }
        }
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/babel-eslint-parser-legacy/MAL-2026-6992.json"
cwes
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code"
    }
]