npm

notifications-broadcast @99.9.1

Vulnerability report · Last retrieved from osv.dev July 14, 2026 at 5:45 AM UTC

Malicious

OSV ID

MAL-2026-10419

Ecosystem

npm

Summary

notifications-broadcast@99.9.1 ships an empty index.js ( module.exports = {}; ) with placeholder metadata (empty description, empty author, version 99.9.1 consistent with a dependency-confusion stub). Its only functional content is a dependency entry that resolves ltidisafe to a tarball URL at https://ltidi.storage.googleapis.com/depenconf/ltidisafe-3.3.4.tgz rather than the npm registry. The Google Cloud Storage bucket ltidi.storage.googleapis.com is not tied to a verifiable npm publisher identity, the tarball is not pinned by hash, and the bucket path segment depenconf matches the dependency-confusion attack shape. On npm install , npm fetches this tarball and installs its contents into the installer's node_modules , executing any lifecycle scripts and making its code reachable via require() . Whoever controls the GCS bucket therefore obtains code execution in the installer's environment via the transitive dependency, and the bucket contents can be mutated at any time without any change to this package.

Source: amazon-inspector (bd1aba4582464347961d36f63f501a5aaf2c190322e7ab8d8e4231c076b817e2)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.