MAL-2026-5153
Malicious code in @att-ebiz/abs-components-bc (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (fb8d1b46db555fda7536bcf080f9dfd0ceed5c731f7a96b2579121598dad6721) Package @att-ebiz/abs-components-bc@99.9.1 is an empty placeholder published to public npm under a scope (@att-ebiz) that matches AT&T's internal eBusiness namespace, with an inflated 99.9.1 version designed to outrank a legitimate private package of the same name during resolution. Its only meaningful content is a dependency in package.json line 10 declaring "ltidisafe": "https://ltidi.storage.googleapis.com/depenconf/ltidisafe-2.8.8.tgz" — an off-registry tarball hosted on a third-party Google Cloud Storage bucket. The URL is unpinned (no integrity hash), mutable by whoever controls the bucket, and the path segment 'depenconf' explicitly names the dependency-confusion technique. On npm install, npm fetches that tarball and executes any preinstall/install/postinstall lifecycle scripts and module code it contains on the installer's machine. The package itself ships an empty index.js, so installation has no purpose other than pulling and executing the remote tarball's contents. Combined fingerprint — scoped namespace impersonation + 99.9.1 version inflation + empty source + unpinned off-registry tarball with 'depenconf' in the URL — is an unambiguous dependency-confusion dropper.
## Source: ghsa-malware (397f7a3656c6e13b1ba187a7f842221211ea1a02dc0f54ce3775e0c08d78a53b) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
## Source: ossf-package-analysis (d9d4d8606057fc579fbbc6ede648c88bb580827838850f589e8887c1dd374a39) The OpenSSF Package Analysis project identified '@att-ebiz/abs-components-bc' @ 99.9.1 (npm) as malicious.
It is considered malicious because:
- The package communicates with a domain associated with malicious activity.
Are you affected?
Enter the version of the package you're using.
Affected packages
0 No fixed version published yet for @att-ebiz/abs-components-bc (npm). Pin to a known-safe version or switch to an alternative.