firefly-utilities-helper @99.9.1

Summary

firefly-utilities-helper@99.9.1 ships an empty stub (index.js: module.exports = {}; ) with no description, author, or repository, but declares a single dependency ltidisafe as a direct tarball URL: https://ltidi.storage.googleapis.com/depenconf/ltidisafe-3.0.6.tgz . The bucket is on Google Cloud Storage, unrelated to any documented publisher, and the bucket/path naming ( ltidi / depenconf ) is consistent with a dependency-confusion staging area. URL-tarball dependencies bypass the npm registry's visibility, signature, and tooling — npm install will fetch the.tgz directly and execute any preinstall/install/postinstall lifecycle scripts it ships, with no hash pin, no signature, and no registry review. The wrapper contributes no functionality; its only effect on install is to smuggle the off-registry tarball into the installer's dependency tree. The high version number (99.9.1) and absent metadata are also consistent with a dependency-confusion lure intended to outrank an internal package of the same name.

Source: amazon-inspector (cadcdda902675162dd9cfabd9d8133986723d4c956437633f36a5a07b776ef59)