OSV ID
MAL-2026-10421
Ecosystem
npm
Summary
package.json declares the dependency 'ltidisafe' as a direct https tarball URL (https://ltidi.storage.googleapis.com/depenconf/ltidisafe-3.3.2.tgz) rather than a package on the npm registry. On npm install portway , npm fetches that tarball and installs its contents into the installer's node_modules. The URL points to a generic Google Cloud Storage bucket unrelated to any established publisher, is not pinned by integrity hash, and is mutable by whoever controls the bucket. The bucket contents bypass npm registry review and are not visible to registry-side scanners. The package itself ships an empty index.js and no lifecycle scripts, so its only effect on installation is pulling this off-registry tarball into the installer's dependency graph, where its code runs under the normal require/lifecycle rules of whatever it contains.
Source: amazon-inspector (e04dc52cd77658d168578535fb67d77ea76de79beadb77e14c96f023f4e51772)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.