@druids/ui @99.9.1

Summary

The package's package.json declares a dependency ltidisafe resolved not from the npm registry but as a direct tarball URL: https://ltidi.storage.googleapis.com/depenconf/ltidisafe-2.6.2.tgz . On npm install , npm will fetch and install that tarball, executing whatever lifecycle scripts and code it contains on the installer's machine with no audit trail in this package's published source. Several corroborating signals indicate this is dependency-confusion / namespace-abuse tooling rather than a legitimate UI library: the GCS bucket path literally contains the string depenconf (a common shorthand for dependency-confusion); the package version is 99.9.1, the high-version-squat pattern used to outrank a private internal package of the same name; package metadata (author, description) is empty; and the package's own index.js is near-empty, providing no library functionality consistent with the @druids/ui name. The installer-side harm is the silent inclusion of an attacker-controlled, registry-unaudited transitive into the dependency tree.

Source: amazon-inspector (071ce35c0d6a17c606e5448f4c485228df973342935b0a11519304050877edf5)