npm

process-status-widget @99.9.1

Vulnerability report · Last retrieved from osv.dev July 15, 2026 at 3:50 AM UTC

Malicious

OSV ID

MAL-2026-10581

Ecosystem

npm

Summary

process-status-widget@99.9.1 is an empty stub (index.js exports {}, empty author/description, suspicious version 99.9.1) whose sole material effect on install is to resolve its only declared dependency 'ltidisafe' from a direct HTTPS tarball URL — https://ltidi.storage.googleapis.com/depenconf/ltidisafe-3.4.1.tgz — rather than from the npm registry. Installing this package causes npm to fetch and install arbitrary code from that anonymous Google Cloud Storage bucket, bypassing registry-side scanning and any tie to a known publisher. The bucket contents are mutable at the operator's discretion, and any lifecycle scripts inside the fetched tarball execute on install. The package shape (empty main, external URL dep, no functionality of its own) matches a dependency-smuggling / hijack-vehicle pattern.

Source: amazon-inspector (afd09cd68063b99549f252d3db30b88d9eb4c9e479c784ad0c09ce063764d768)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.