MAL-2026-7005

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/visa-cli-tools/MAL-2026-7005.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-7005
Published
2026-07-08T16:24:09Z
Modified
2026-07-08T17:16:53.650412776Z
Summary
Malicious code in visa-cli-tools (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (a0e8f566e285de1eec2c3cae07b0faaa8828080a4e1fed7e76e1fe43dfa571ec)

Package presents as an internal-looking corporate tooling name ('visa-cli-tools') published at an inflated version (99.9.1) — the canonical dependency-confusion shape used to override a private-registry resolution with a public-npm entry. The package body is a hollow stub (index.js exports an empty object), so the package has no library utility; its only on-install effect is dependency resolution. package.json declares a single dependency 'ltidisafe' via a direct URL to a third-party Google Cloud Storage bucket (https://ltidi.storage.googleapis.com/depenconf/ltidisafe-3.1.2.tgz) rather than a registry name+semver. The URL path segment 'depenconf' explicitly labels the dependency-confusion technique. On npm install, the tarball is fetched from the bucket (outside registry review, mutable by the bucket owner at any time) and its contents enter the installer's dependency tree with normal install-time execution rights, including any lifecycle hooks in that tarball. The hollow lure + inflated version + name mimicking an internal namespace + external mutable tarball delivery jointly constitute a dependency-confusion dropper.

Database specific
{
    "malicious-packages-origins": [
        {
            "modified_time": "2026-07-08T16:24:09Z",
            "id": "IN-MAL-2026-008095",
            "source": "amazon-inspector",
            "import_time": "2026-07-08T17:01:29.965123656Z",
            "sha256": "a0e8f566e285de1eec2c3cae07b0faaa8828080a4e1fed7e76e1fe43dfa571ec",
            "versions": [
                "99.9.1"
            ]
        }
    ]
}
References
Credits

Affected packages

npm / visa-cli-tools

Package

Affected ranges

Affected versions

99.*
99.9.1

Database specific

indicators
{
    "evidence_files": [
        {
            "path": "package.json",
            "tlsh": "22e07d34493156330ec901b6481b600bf3714e4f0408bd0c1bdb041c418da7338f935c",
            "sha256": "96812e1747a2865d619437e6e91eb803cbff03b56d6251602f75c9bbf4ced714"
        }
    ],
    "package_integrity": [
        {
            "filename": "visa-cli-tools-99.9.1.tgz",
            "hashes": {
                "sha1": "7b89165f3e56e0d18d495dd2decd94a64510672d",
                "sha512_sri": "sha512-JQJiXszGuHdbdIuU0GwrGXRXIbNY/Nqz7t2FIFUddWRakiDyB6K9LMhlry5RBQPyLHYBUiDqSsNR9sJm3Lxl+A=="
            }
        }
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/visa-cli-tools/MAL-2026-7005.json"
cwes
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code"
    }
]