OSV Malicious Advisory
scanned 2h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-5446 confirms this npm version as malicious. housecall-ui@99.9.1 is a hollow npm package (empty description, empty author, index.js exports an empty object) whose sole runtime dependency is declared as an HTTPS tarball URL pointing at a third-party Google Cloud Storage bucket: `"ltidisafe": "https://ltidi.storage.googleapis.com/depenconf/ltidisafe-2.9.8.tgz"` (package.json line 10)...
Advisory
MAL-2026-5446
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in housecall-ui (npm)
Details
housecall-ui@99.9.1 is a hollow npm package (empty description, empty author, index.js exports an empty object) whose sole runtime dependency is declared as an HTTPS tarball URL pointing at a third-party Google Cloud Storage bucket: `"ltidisafe": "https://ltidi.storage.googleapis.com/depenconf/ltidisafe-2.9.8.tgz"` (package.json line 10). On `npm install`, npm fetches whatever bytes currently reside at that GCS URL and executes any lifecycle scripts (preinstall/install/postinstall) inside the resulting tarball. The bucket is not the npm registry, is not a documented publisher infrastructure for any vendor, is unpinned by hash, and is mutable by whoever controls it — meaning the installer cannot audit or guarantee what code will run. The package's name is brand-adjacent to HouseCall Pro and the version is artificially inflated to 99.9.1, the canonical pattern of a dependency-confusion lure designed to outrank an internal private package of the same name in mixed-resolution environments. The surrounding package contributes no functionality; its only effect on install is to sideload `ltidisafe` from attacker-mutable infrastructure.
Decision reason
OpenSSF Malicious Packages via OSV confirms housecall-ui@99.9.1 as malicious (MAL-2026-5446): Malicious code in housecall-ui (npm)
References
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 High
HighOsv Malicious Advisory