VYPR

npm · Malicious package advisory

Malware

sourceflow-tracker

MAL-2026-5166

Malicious code in sourceflow-tracker (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (0c32024f2d571ac850d0e9a7240951137c14d1f1529ab3e0f782ff677a5625ea)
package.json declares a dependency `ltidisafe` resolved directly from a raw tarball URL on a generic Google Cloud Storage bucket (`https://storage.googleapis.com/lscunpentest/pack_ux_foundry.tgz`). The tarball is unversioned, carries no integrity hash, and is hosted on infrastructure unrelated to any documented publisher; the bucket owner can replace its bytes at any time without changing the URL. On `npm install`, npm fetches and installs this tarball transitively and runs any lifecycle scripts it ships. The visible package itself is a stub: `index.js` only contains `console.log("hello from lslslslslss")`, package metadata is placeholder gibberish (description `lspodcc`, author `lslsls`), and the version is set to `99.91.9` — a pattern consistent with dependency-confusion attempts to outrank a legitimate internal package of the same name. The package's only practical effect when installed is to drop attacker-mutable code into the consumer's install graph.

## Source: ossf-package-analysis (1699207dcb748d9894d27585d5e49f48e906eae167d75434c15cd15f1aeb5502)
The OpenSSF Package Analysis project identified 'sourceflow-tracker' @ 99.91.9 (npm) as malicious.

It is considered malicious because:

- The package communicates with a domain associated with malicious activity.

Compromised versions (1)

  • 99.91.9

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.