@vivaux/telemetry @99.9.1
Vulnerability report · Last retrieved from osv.dev June 23, 2026 at 3:29 AM UTC
OSV ID
MAL-2026-4463
Ecosystem
npm
Summary
@vivaux/telemetry@99.9.1 ships an empty index.js and exists only to pull in an off-registry dependency. package.json declares "ltidisafe": "https://ltidi.storage.googleapis.com/depenconf/ltidisafe-2.3.3.tgz" — a direct tarball URL rather than a registry name. Several signals stack: the @vivaux scope targets what appears to be a private/internal namespace; the inflated 99.9.1 version is the canonical registry-shadowing pattern used to win resolution against an internal package of the same name; the URL path segment literally contains depenconf (dependency confusion); and the package has placeholder metadata (empty author/description, license-only fields) with no real functionality of its own. On npm install , npm will fetch and install the arbitrary tarball, executing any lifecycle scripts it carries on the installer machine. The attacker controls the bytes at that URL and can rotate them at any time.
Source: amazon-inspector (e0a848407f225f6d34a9d48d9619b517c80e007c2a12c20a341e48cb7f907f81)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.