npm

portway @99.9.1

Vulnerability report · Last retrieved from osv.dev July 14, 2026 at 5:45 AM UTC

Malicious

OSV ID

MAL-2026-10421

Ecosystem

npm

Summary

package.json declares the dependency 'ltidisafe' as a direct https tarball URL (https://ltidi.storage.googleapis.com/depenconf/ltidisafe-3.3.2.tgz) rather than a package on the npm registry. On npm install portway , npm fetches that tarball and installs its contents into the installer's node_modules. The URL points to a generic Google Cloud Storage bucket unrelated to any established publisher, is not pinned by integrity hash, and is mutable by whoever controls the bucket. The bucket contents bypass npm registry review and are not visible to registry-side scanners. The package itself ships an empty index.js and no lifecycle scripts, so its only effect on installation is pulling this off-registry tarball into the installer's dependency graph, where its code runs under the normal require/lifecycle rules of whatever it contains.

Source: amazon-inspector (e04dc52cd77658d168578535fb67d77ea76de79beadb77e14c96f023f4e51772)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.