npm

babel-eslint-parser-legacy @99.9.1

Vulnerability report · Last retrieved from osv.dev July 8, 2026 at 7:23 PM UTC

Malicious

OSV ID

MAL-2026-6992

Ecosystem

npm

Summary

Package name babel-eslint-parser-legacy is a one-suffix confusion against the legitimate babel-eslint-parser . The package's own main is an empty stub, so it provides no functionality of its own. Its package.json declares a single runtime dependency ltidisafe pointing at a direct HTTPS tarball URL — https://ltidi.storage.googleapis.com/depenconf/ltidisafe-3.1.8.tgz — hosted on a Google Cloud Storage bucket unaffiliated with Babel and outside the npm registry. On npm install , npm fetches and installs the contents of that tarball into the installer's node_modules , executing any lifecycle scripts it declares. The tarball bytes are attacker-mutable (the bucket owner can swap contents at any time), are not subject to npm registry scanning, and are not pinned by integrity hash in the manifest. The typosquat name is the lure; the external-URL dependency is the smuggling vector for arbitrary attacker-controlled code into the installer's dependency tree.

Source: amazon-inspector (85a6f04cbf0697b6ae409fb9e5ad0e25812dac6a2f43bd95722f1903ee2f71f7)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.