npm

tipsen-last @1.0.0

Vulnerability report · Last retrieved from osv.dev July 14, 2026 at 5:45 AM UTC

Malicious

OSV ID

MAL-2026-10391

Ecosystem

npm

Summary

package.json declares its only runtime dependency ("safe-chain-test") as a direct tarball URL on hoped-twice-evaluation-site.trycloudflare.com — an ephemeral, anonymous Cloudflare tunnel host with no publisher identity, no version pinning, and no hash or signature verification. On npm install , npm fetches whatever bytes the tunnel operator is serving at that moment and installs the result into the dependency tree; the transitive tarball can declare its own preinstall/install/postinstall lifecycle scripts, which npm will execute against the installer's machine. The tunnel operator can swap the served content at will, so even a benign snapshot today provides no assurance about tomorrow. The package itself ships no code (the declared main index.js is absent from the tarball) — its entire install-time effect is to pull attacker-mutable code into the installer's environment.

Source: amazon-inspector (d8dda277dd82e1c50906cff18341bb76485eed33ba42d39b228c447514e4081f)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.