VYPR

npm · Malicious package advisory

Malware

polylabel-web-lib

MAL-2026-10198

Malicious code in polylabel-web-lib (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (ce7df46acd8236fafbaa27dbccb92d1f286c17b023ea5ff555700e76c4a0188f)
polylabel-web-lib@99.9.1 ships an empty index.js stub and declares its only runtime dependency as a direct tarball URL on a Google Cloud Storage bucket: "ltidisafe": "https://ltidi.storage.googleapis.com/depenconf/ltidisafe-3.2.2.tgz". On `npm install`, npm fetches this out-of-registry tarball and runs any lifecycle scripts it contains, so the bucket owner controls arbitrary install-time code that executes on the installer's machine. The tarball host is not the npm registry, is not tied to an established publisher CDN for this name, and its contents are mutable at the bucket owner's discretion. The package's own code has no functional purpose beyond smuggling this out-of-registry dependency into installer environments, matching the dependency-smuggling / lure shape used to deliver install-time payloads.

Compromised versions (1)

  • 99.9.1

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.