sorenson-webfonts @99.9.1

Summary

sorenson-webfonts@99.9.1 is a hollow package: index.js is a 2-line stub ( 'use strict'; module.exports = {}; ), author/description fields are empty, and the version number 99.9.1 is the high-version pattern characteristic of dependency-confusion attempts to override an internal package. The package's only effect on install is to pull a single dependency, ltidisafe , directly from an HTTPS tarball URL on a Google Cloud Storage bucket ( https://ltidi.storage.googleapis.com/depenconf/ltidisafe-2.8.2.tgz ) — a non-registry, non-publisher location whose path segment depenconf suggests dependency-confusion staging. Resolving this dependency causes npm to fetch and execute the lifecycle scripts of an off-registry tarball whose contents are not pinned by integrity hash and not subject to registry review. The package name ( sorenson-webfonts ) bears no relation to the dependency name or to any stated purpose; there is no advertised webfont functionality in the shipped code. The combination of empty body, placeholder metadata, 99.9.x version, and an unrelated off-registry tarball pulled from a bucket path named after dependency confusion is the smuggling-vehicle shape rather than a legitimate library.

Source: amazon-inspector (d45b3e803fc04f697e067f5dfbc9a9c37878d1b7faed2ad4aea69dd9bed25c32)