npm

frontend-regulations @99.9.1

Vulnerability report · Last retrieved from osv.dev July 14, 2026 at 5:45 AM UTC

Malicious

OSV ID

MAL-2026-10415

Ecosystem

npm

Summary

frontend-regulations@99.9.1 is a near-empty wrapper (index.js exports an empty object) whose package.json declares the dependency 'ltidisafe' with the URL https://ltidi.storage.googleapis.com/depenconf/ltidisafe-3.3.3.tgz instead of a registry version. Installing this package causes npm to fetch a tarball from a Google Cloud Storage bucket unrelated to any documented publisher and place it into the installer's node_modules, where its lifecycle scripts and main entry execute during npm install . The wrapper package itself provides no functionality; its only effect is to smuggle the externally-hosted tarball into the dependency tree. The suspiciously high version number (99.9.1) combined with a hollow main entry and an off-registry dependency URL matches the dependency-chain dropper pattern.

Source: amazon-inspector (6d88817d57907505adf7d303019c78adceb6da7bedf1e3416f2b9a1e80605ca1)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.