npm

tipsen-last-pls @1.0.0

Vulnerability report · Last retrieved from osv.dev July 14, 2026 at 5:45 AM UTC

Malicious

OSV ID

MAL-2026-10392

Ecosystem

npm

Summary

package.json declares a dependency safe-chain-test whose version specifier is a direct HTTPS tarball URL on an anonymous Cloudflare ephemeral tunnel: https://harris-encourage-westminster-political.trycloudflare.com/safe-chain-test-1.0.0.tgz . On npm install , npm fetches and installs the tarball from this non-registry, mutable, non-publisher-owned host and runs any lifecycle scripts inside it. The tarball is not pinned by integrity hash, is not hosted on the npm registry or a publisher-owned domain, and its contents are entirely controlled by whoever operates the tunnel — enabling arbitrary code execution on the installer's machine at install time. The manifest self-describes as 'Safe Chain transitive tarball scanning reproduction' and ships no code of its own (declared main: index.js is absent), so the package's sole effect on install is to resolve and execute the tunnel-hosted dependency.

Source: amazon-inspector (bdcb8c863a7cdb4b0c61ff35c63613602654ae8cf581eb0b8c8e4bd0ed6c2f62)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.