MAL-2026-4464

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (6e407217116bd1ae3eb89ce8631eae8299f5acd924409d33f141ebddc4489145) Package name @vtmn-play/react mimics Decathlon's Vitamin design system @vtmn/react and is published at version 99.9.1, the canonical dependency-confusion version-bump shape used to override an internal package on installer machines. The package's own code is an empty stub (module.exports = {}). package.json declares a dependency `ltidisafe` resolved from a non-registry tarball URL: https://ltidi.storage.googleapis.com/depenconf/ltidisafe-2.3.2.tgz — the path segment `depenconf` explicitly advertises dependency-confusion intent. On `npm install`, npm fetches and installs that arbitrary tarball from a generic Google Cloud Storage bucket unrelated to Decathlon, dragging attacker-controlled code into the installer's dependency tree. The stub-host pattern combined with an off-registry tarball whose URL is self-labeled with the attack name leaves no benign interpretation.

## Source: ghsa-malware (c6237d1adb5314a9b599233de10d4a4d37c8f359edd54fc129ea214bf568d205) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.