tipsen-poc-again @1.0.0
Vulnerability report · Last retrieved from osv.dev July 14, 2026 at 5:45 AM UTC
OSV ID
MAL-2026-10393
Ecosystem
npm
Summary
package.json declares its sole runtime dependency safe-chain-test as an HTTPS tarball URL pointing at a trycloudflare.com quick-tunnel host ( https://dominant-vary-ran-americas.trycloudflare.com/safe-chain-test-1.0.0.tgz ). trycloudflare quick-tunnel hosts are anonymous, ephemeral, publisher-unattributable, and fully mutable — the operator can serve arbitrary bytes to any installer at any time, and the bytes are not subject to npm registry scanning. On npm install , npm fetches this tarball and installs it into the dependency tree; whatever lifecycle scripts or top-level code the current tarball contains will execute on the installer's machine. This is a transitive code-delivery channel routed through an attacker-controlled hop that bypasses registry integrity controls.
Source: amazon-inspector (c0977477bc81c656f52fb981657983580b411dda6d2c6766ba4d6a35fe4ae970)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.