npm

home-mp-commons @999.0.3

Vulnerability report · Last retrieved from osv.dev July 15, 2026 at 3:50 AM UTC

Malicious

OSV ID

MAL-2026-10553

Ecosystem

npm

Summary

home-mp-commons@999.0.3 is an empty npm package (declared main index.js is absent from the tarball) whose sole effect on install is to resolve a single dependency 'ltidisafe' from a hardcoded off-registry URL at https://storage.googleapis.com/bowpentest/pack-home-mp-commons.tgz. On npm install, npm fetches and installs that tarball from an anonymous Google Cloud Storage bucket; any lifecycle scripts or main module inside the fetched tarball then execute on the installer's machine. The bucket contents are mutable and controlled by whoever owns the 'bowpentest' bucket, not by any documented publisher or the npm registry. The package name pattern combined with a 999.x.x version bump and an internal-sounding scope-free name is the canonical dependency-confusion delivery shape: a hollow lure that pulls attacker-controlled code into the installer's node_modules at install time.

Source: amazon-inspector (885b9dad73e9eeb07a1fcb4a94493ec85573f656f7b9347a8682f56db359cfd6)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.