@webda-features/dashboard @99.9.1

Summary

The package is an empty wrapper ( index.js contains only module.exports = {}; ) whose sole effect on install is to resolve a single dependency declared as a direct HTTPS tarball URL: "ltidisafe": "https://ltidi.storage.googleapis.com/depenconf/ltidisafe-2.8.5.tgz" in package.json. npm fetches and installs that tarball during npm install , running whatever lifecycle scripts and module code it ships. The tarball is hosted on an arbitrary Google Cloud Storage bucket ( ltidi.storage.googleapis.com/depenconf/ ) that is not tied to any verifiable publisher of the @webda ecosystem and lives outside the npm registry's audit surface, so the bytes installers receive can change at any time without a registry release. The package name @webda-features/dashboard mimics the legitimate @webda (Webda.io) scope, and the inflated version 99.9.1 is consistent with a dependency-confusion delivery vehicle aimed at private @webda-features/* resolutions.

Source: amazon-inspector (3698e6d2d9b93092104883c8f7e4ffcd602d31d3fd3ae2574850ea6ad15e8437)