npm · Malicious package advisory
Malwareportway
MAL-2026-10421
Malicious code in portway (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (e04dc52cd77658d168578535fb67d77ea76de79beadb77e14c96f023f4e51772) package.json declares the dependency 'ltidisafe' as a direct https tarball URL (https://ltidi.storage.googleapis.com/depenconf/ltidisafe-3.3.2.tgz) rather than a package on the npm registry. On `npm install portway`, npm fetches that tarball and installs its contents into the installer's node_modules. The URL points to a generic Google Cloud Storage bucket unrelated to any established publisher, is not pinned by integrity hash, and is mutable by whoever controls the bucket. The bucket contents bypass npm registry review and are not visible to registry-side scanners. The package itself ships an empty index.js and no lifecycle scripts, so its only effect on installation is pulling this off-registry tarball into the installer's dependency graph, where its code runs under the normal require/lifecycle rules of whatever it contains.
Compromised versions (1)
- 99.9.1
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.