npm · Malicious package advisory
Malwarehome-sections-web-ui
MAL-2026-10443
Malicious code in home-sections-web-ui (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (2e6c206f8844e1ff870876bc1ac8cdf2b10ee2c36caf61883eb5a8f03caa5405) package.json declares the dependency `ltidisafe` as a direct tarball URL (`https://storage.googleapis.com/lscunpentest/pack_ux_foundry.tgz`) hosted on an anonymous Google Cloud Storage bucket unrelated to any known publisher. Installing this package causes npm to fetch and install arbitrary, attacker-mutable JavaScript from that URL into the installer's dependency tree, bypassing the npm registry entirely. Package metadata is consistent with a throwaway lure: nonsensical author (`lslsls`), placeholder description (`lspodcc`), version `99.9.9`, and a bucket name (`lscunpentest`) suggesting pen-test / dependency-confusion tooling. The fetched tarball's contents are not pinned by hash and can be swapped at any time by whoever controls the bucket.
Compromised versions (1)
- 99.9.9
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.