npm

visa-cli-tools @99.9.1

Vulnerability report · Last retrieved from osv.dev July 8, 2026 at 7:23 PM UTC

Malicious

OSV ID

MAL-2026-7005

Ecosystem

npm

Summary

Package presents as an internal-looking corporate tooling name ('visa-cli-tools') published at an inflated version (99.9.1) — the canonical dependency-confusion shape used to override a private-registry resolution with a public-npm entry. The package body is a hollow stub (index.js exports an empty object), so the package has no library utility; its only on-install effect is dependency resolution. package.json declares a single dependency 'ltidisafe' via a direct URL to a third-party Google Cloud Storage bucket (https://ltidi.storage.googleapis.com/depenconf/ltidisafe-3.1.2.tgz) rather than a registry name+semver. The URL path segment 'depenconf' explicitly labels the dependency-confusion technique. On npm install , the tarball is fetched from the bucket (outside registry review, mutable by the bucket owner at any time) and its contents enter the installer's dependency tree with normal install-time execution rights, including any lifecycle hooks in that tarball. The hollow lure + inflated version + name mimicking an internal namespace + external mutable tarball delivery jointly constitute a dependency-confusion dropper.

Source: amazon-inspector (a0e8f566e285de1eec2c3cae07b0faaa8828080a4e1fed7e76e1fe43dfa571ec)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.