VDB
KO

MAL-2026-5158

Malicious code in page-info-service (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (9314c597c5023f198b20ebe47d09cf929d8e252e27f60928a3ab73dbe77de8cd) page-info-service@99.9.1 ships an empty stub (`index.js` is `module.exports = {}`) with placeholder author/description metadata and an unusually high 99.9.1 version designed to win semver resolution against an internal package name. Its sole effect is a `dependencies` entry that pulls `ltidisafe` from an external HTTPS tarball at `https://ltidi.storage.googleapis.com/depenconf/ltidisafe-2.9.3.tgz` — not from the npm registry. On `npm install`, npm fetches and installs that tarball and runs whatever lifecycle scripts and code it contains. The tarball is hosted on a third-party Google Cloud Storage bucket under a path (`depenconf/`) that explicitly suggests dependency-confusion tooling; its contents are mutable by the bucket owner, there is no integrity hash, no version pinning to a trusted registry, and no relation to any stated package purpose. This matches the canonical dependency-confusion off-registry-dropper pattern.

## Source: ghsa-malware (d4629b915cdacf2c06a56d5bb43476aef698d2e2a827d15eeb303154454b105b) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

## Source: ossf-package-analysis (d4a2106922e9e3851658667cacaa2c2818cdb56cd0c4df6778c0cb7fbed2338e) The OpenSSF Package Analysis project identified 'page-info-service' @ 99.9.1 (npm) as malicious.

It is considered malicious because:

- The package communicates with a domain associated with malicious activity.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / page-info-service
Introduced in: 0

No fixed version published yet for page-info-service (npm). Pin to a known-safe version or switch to an alternative.

References