uipath-sugar-sell @99.9.1
Vulnerability report · Last retrieved from osv.dev June 23, 2026 at 3:29 AM UTC
OSV ID
MAL-2026-5455
Ecosystem
npm
Summary
Package uipath-sugar-sell@99.9.1 exhibits the canonical dependency-confusion shape: an internal-sounding name targeting a UiPath/SugarSell namespace, a 99.9.1 version overshoot designed to win semver resolution against any private registry, an empty index.js ( module.exports = {} ) so the package provides no actual functionality, and a single dependency ltidisafe declared as a direct URL https://ltidi.storage.googleapis.com/depenconf/ltidisafe-2.7.8.tgz . The path segment depenconf is explicit naming of the dependency-confusion technique. Installing this package causes npm to fetch and install the off-registry tarball from the Google Cloud Storage bucket, bypassing the public registry's audit surface; any lifecycle scripts in that tarball execute on the installer's machine at npm install time, and the tarball contents are mutable by whoever controls the bucket.
Source: amazon-inspector (70cd5d70323e92395a2ea8f61a4089f1cca94e4bb81a7cad1375ae47d3461e6f)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.