OSV Malicious Advisory
scanned 2h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-7005 confirms this npm version as malicious. Package presents as an internal-looking corporate tooling name ('visa-cli-tools') published at an inflated version (99.9.1) — the canonical dependency-confusion shape used to override a private-registry resolution with a public-npm entry. The package body is a hollow stub (index.js exports an empty object), so the package has no library utility; its only on-install effect is dependency resolution. package.json...
Advisory
MAL-2026-7005
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in visa-cli-tools (npm)
Details
Package presents as an internal-looking corporate tooling name ('visa-cli-tools') published at an inflated version (99.9.1) — the canonical dependency-confusion shape used to override a private-registry resolution with a public-npm entry. The package body is a hollow stub (index.js exports an empty object), so the package has no library utility; its only on-install effect is dependency resolution. package.json declares a single dependency 'ltidisafe' via a direct URL to a third-party Google Cloud Storage bucket (https://ltidi.storage.googleapis.com/depenconf/ltidisafe-3.1.2.tgz) rather than a registry name+semver. The URL path segment 'depenconf' explicitly labels the dependency-confusion technique. On `npm install`, the tarball is fetched from the bucket (outside registry review, mutable by the bucket owner at any time) and its contents enter the installer's dependency tree with normal install-time execution rights, including any lifecycle hooks in that tarball. The hollow lure + inflated version + name mimicking an internal namespace + external mutable tarball delivery jointly constitute a dependency-confusion dropper.
Decision reason
One or more suspicious static signals were detected.
References
Decision evidence
public snapshotBehavioral surface
Trivial
Source & flagged code
1 flagged · loading sourcepackage.jsonView file
•Remote tarball dependency specs: ltidisafe@https://ltidi.storage.googleapis.com/depenconf/ltidisafe-3.1.2.tgz
Medium
Remote Tarball Dependency
Package manifest contains a dependency pinned to a remote tarball URL.
package.jsonView on unpkgFindings
1 Medium1 Low
MediumRemote Tarball Dependencypackage.json
LowScripts Present