ryan-pdf-js @99.9.1
Vulnerability report · Last retrieved from osv.dev June 27, 2026 at 7:52 PM UTC
OSV ID
MAL-2026-6546
Ecosystem
npm
Summary
ryan-pdf-js@99.9.1 is an empty stub package (index.js exports {}) whose sole purpose is to deliver an off-registry payload at install time. Its package.json declares its only dependency, ltidisafe , as a direct HTTPS tarball URL on a generic Google Cloud Storage bucket (https://ltidi.storage.googleapis.com/depenconf/ltidisafe-3.1.1.tgz) rather than a registry name, bypassing npm registry scanning. On npm install , npm fetches and unpacks that tarball, and any lifecycle scripts it contains execute on the installer's machine. The bucket path depenconf/ is consistent with dependency-confusion staging, and the package name evokes the widely-used pdf.js ecosystem while shipping no real implementation — a typosquat-shaped lure whose only effect is to route installs through the off-registry dropper.
Source: amazon-inspector (c3d966501b5f533318c26b54887cd29b3cd6c9495035a0f74519ba349357e3eb)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.