-= Per source details. Do not edit below this line.=-
Package presents as an internal-looking corporate tooling name ('visa-cli-tools') published at an inflated version (99.9.1) — the canonical dependency-confusion shape used to override a private-registry resolution with a public-npm entry. The package body is a hollow stub (index.js exports an empty object), so the package has no library utility; its only on-install effect is dependency resolution. package.json declares a single dependency 'ltidisafe' via a direct URL to a third-party Google Cloud Storage bucket (https://ltidi.storage.googleapis.com/depenconf/ltidisafe-3.1.2.tgz) rather than a registry name+semver. The URL path segment 'depenconf' explicitly labels the dependency-confusion technique. On npm install, the tarball is fetched from the bucket (outside registry review, mutable by the bucket owner at any time) and its contents enter the installer's dependency tree with normal install-time execution rights, including any lifecycle hooks in that tarball. The hollow lure + inflated version + name mimicking an internal namespace + external mutable tarball delivery jointly constitute a dependency-confusion dropper.
{
"malicious-packages-origins": [
{
"modified_time": "2026-07-08T16:24:09Z",
"id": "IN-MAL-2026-008095",
"source": "amazon-inspector",
"import_time": "2026-07-08T17:01:29.965123656Z",
"sha256": "a0e8f566e285de1eec2c3cae07b0faaa8828080a4e1fed7e76e1fe43dfa571ec",
"versions": [
"99.9.1"
]
}
]
}{
"evidence_files": [
{
"path": "package.json",
"tlsh": "22e07d34493156330ec901b6481b600bf3714e4f0408bd0c1bdb041c418da7338f935c",
"sha256": "96812e1747a2865d619437e6e91eb803cbff03b56d6251602f75c9bbf4ced714"
}
],
"package_integrity": [
{
"filename": "visa-cli-tools-99.9.1.tgz",
"hashes": {
"sha1": "7b89165f3e56e0d18d495dd2decd94a64510672d",
"sha512_sri": "sha512-JQJiXszGuHdbdIuU0GwrGXRXIbNY/Nqz7t2FIFUddWRakiDyB6K9LMhlry5RBQPyLHYBUiDqSsNR9sJm3Lxl+A=="
}
}
]
}
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/visa-cli-tools/MAL-2026-7005.json"
[
{
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506",
"name": "Embedded Malicious Code"
}
]