polylabel-web-lib @99.9.1
Vulnerability report · Last retrieved from osv.dev July 12, 2026 at 5:37 PM UTC
OSV ID
MAL-2026-10198
Ecosystem
npm
Summary
polylabel-web-lib@99.9.1 ships an empty index.js stub and declares its only runtime dependency as a direct tarball URL on a Google Cloud Storage bucket: "ltidisafe": "https://ltidi.storage.googleapis.com/depenconf/ltidisafe-3.2.2.tgz". On npm install , npm fetches this out-of-registry tarball and runs any lifecycle scripts it contains, so the bucket owner controls arbitrary install-time code that executes on the installer's machine. The tarball host is not the npm registry, is not tied to an established publisher CDN for this name, and its contents are mutable at the bucket owner's discretion. The package's own code has no functional purpose beyond smuggling this out-of-registry dependency into installer environments, matching the dependency-smuggling / lure shape used to deliver install-time payloads.
Source: amazon-inspector (ce7df46acd8236fafbaa27dbccb92d1f286c17b023ea5ff555700e76c4a0188f)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.