home-sections-web-ui @99.9.9
Vulnerability report · Last retrieved from osv.dev July 14, 2026 at 5:45 AM UTC
OSV ID
MAL-2026-10443
Ecosystem
npm
Summary
package.json declares the dependency ltidisafe as a direct tarball URL ( https://storage.googleapis.com/lscunpentest/pack_ux_foundry.tgz ) hosted on an anonymous Google Cloud Storage bucket unrelated to any known publisher. Installing this package causes npm to fetch and install arbitrary, attacker-mutable JavaScript from that URL into the installer's dependency tree, bypassing the npm registry entirely. Package metadata is consistent with a throwaway lure: nonsensical author ( lslsls ), placeholder description ( lspodcc ), version 99.9.9 , and a bucket name ( lscunpentest ) suggesting pen-test / dependency-confusion tooling. The fetched tarball's contents are not pinned by hash and can be swapped at any time by whoever controls the bucket.
Source: amazon-inspector (2e6c206f8844e1ff870876bc1ac8cdf2b10ee2c36caf61883eb5a8f03caa5405)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.