@webda-infra/search @99.9.1

Summary

@webda-infra/search@99.9.1 is a near-empty placeholder (index.js is empty, module.exports = {}) whose package.json declares a single dependency, ltidisafe , resolved via a direct URL to a Google Cloud Storage bucket: https://ltidi.storage.googleapis.com/depenconf/ltidisafe-2.8.4.tgz . The path segment depenconf , the burner-style version 99.9.1 chosen to outrank any legitimate internal @webda-infra/* package, and the absence of an integrity hash or version pin combine into a dependency-confusion / namespace-squat shape: any npm install that resolves this public package will fetch and install whatever bytes are hosted at that GCS URL, including any preinstall/install/postinstall lifecycle scripts in the resulting tarball. The GCS bucket is unrelated to any verified webda / webda-infra publisher and the URL is mutable — the operator can swap the served bytes at any time. The entire reason to install this package is to pull and execute arbitrary off-registry code on the installer's machine.

Source: amazon-inspector (1d3966598d25bae6a0824df09461ccbea8ad8ff22be2b3b93eab681cc733ff73)