process-status-widget @99.9.1
Vulnerability report · Last retrieved from osv.dev July 15, 2026 at 3:50 AM UTC
OSV ID
MAL-2026-10581
Ecosystem
npm
Summary
process-status-widget@99.9.1 is an empty stub (index.js exports {}, empty author/description, suspicious version 99.9.1) whose sole material effect on install is to resolve its only declared dependency 'ltidisafe' from a direct HTTPS tarball URL — https://ltidi.storage.googleapis.com/depenconf/ltidisafe-3.4.1.tgz — rather than from the npm registry. Installing this package causes npm to fetch and install arbitrary code from that anonymous Google Cloud Storage bucket, bypassing registry-side scanning and any tie to a known publisher. The bucket contents are mutable at the operator's discretion, and any lifecycle scripts inside the fetched tarball execute on install. The package shape (empty main, external URL dep, no functionality of its own) matches a dependency-smuggling / hijack-vehicle pattern.
Source: amazon-inspector (afd09cd68063b99549f252d3db30b88d9eb4c9e479c784ad0c09ce063764d768)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.