npm

another-poc-by-tipsen @1.0.0

Vulnerability report · Last retrieved from osv.dev July 14, 2026 at 5:45 AM UTC

Malicious

OSV ID

MAL-2026-10283

Ecosystem

npm

Summary

package.json declares a dependency safe-chain-test sourced from a tarball URL on an anonymous Cloudflare tunnel host ( periods-parcel-pittsburgh-upgrading.trycloudflare.com ) rather than the npm registry or a pinned git SHA. On npm install , npm fetches and installs whatever bytes that ephemeral, publisher-controlled host serves at the moment of resolution, bypassing registry scanning and integrity pinning. The tunnel operator can change the served bytes at any time, so the installer's dependency graph resolves to arbitrary, unverifiable code executed with the transitive package's install-time and require-time privileges. The package itself is otherwise empty (only package.json and README.md; declared main index.js is absent), so the sole effect of installing it is to pull in the tunnel-hosted tarball.

Source: amazon-inspector (d1bd73ac39644da27df81fcbc6540647d0f13d77419a07997a8ca0a2baa6164e)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.