npm · Malicious package advisory
Malware@druids/ui
MAL-2026-4385
Malicious code in @druids/ui (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (071ce35c0d6a17c606e5448f4c485228df973342935b0a11519304050877edf5) The package's package.json declares a dependency `ltidisafe` resolved not from the npm registry but as a direct tarball URL: `https://ltidi.storage.googleapis.com/depenconf/ltidisafe-2.6.2.tgz`. On `npm install`, npm will fetch and install that tarball, executing whatever lifecycle scripts and code it contains on the installer's machine with no audit trail in this package's published source. Several corroborating signals indicate this is dependency-confusion / namespace-abuse tooling rather than a legitimate UI library: the GCS bucket path literally contains the string `depenconf` (a common shorthand for dependency-confusion); the package version is 99.9.1, the high-version-squat pattern used to outrank a private internal package of the same name; package metadata (author, description) is empty; and the package's own index.js is near-empty, providing no library functionality consistent with the `@druids/ui` name. The installer-side harm is the silent inclusion of an attacker-controlled, registry-unaudited transitive into the dependency tree.
Compromised versions (1)
- 99.9.1
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.