npm

ag-charts-test @99.9.1

Vulnerability report · Last retrieved from osv.dev July 8, 2026 at 7:23 PM UTC

Malicious

OSV ID

MAL-2026-6989

Ecosystem

npm

Summary

ag-charts-test@99.9.1 is a hollow package (empty index.js, no scripts, no documented functionality) whose sole effect on installers is resolving its single dependency ltidisafe from a direct HTTPS tarball URL on a third-party Google Cloud Storage bucket ( https://ltidi.storage.googleapis.com/depenconf/ltidisafe-3.1.9.tgz ) rather than through the npm registry. On npm install , the tarball is fetched from that bucket and its contents — including any lifecycle scripts — execute on the installer's machine. The bucket owner can mutate the tarball at any time, so the executed bytes are attacker-controlled. The package name mimics the AG Charts / AG Grid namespace and the inflated 99.9.1 version, combined with the depenconf path segment on the bucket URL, is the canonical dependency-confusion shape (outbidding an internal ag-charts-* name to force resolution of the attacker's package into a private build). No legitimate purpose is documented and the package ships no code of its own.

Source: amazon-inspector (29c50b5a47dde18daf83760926662df3b9890de074cc00938de04892ac79a4d9)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.