npm · Malicious package advisory
Malware@sourceflow-uk/sourceflow-tracker
MAL-2026-5430
Malicious code in @sourceflow-uk/sourceflow-tracker (npm)
Details
---
_-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (c5bcccc37c380ce54f5bfc2bc2311fbefb6ebc3400a397cbc4afc2188fb3c11d)
package.json declares a dependency `ltidisafe` whose version specifier is the raw URL `https://storage.googleapis.com/lscunpentest/pack_ux_foundry.tgz` — a tarball hosted on a generic Google Cloud Storage bucket unrelated to the package's nominal publisher (@sourceflow-uk). On `npm install`, npm fetches and installs that tarball as a transitive dependency, executing any lifecycle scripts (preinstall/install/postinstall) it contains on the installer's machine. The URL is not version-pinned, not hash-verified, and not under the publisher's control: the bucket owner can swap the tarball contents at any time, so a future install delivers different bytes than a present install with no package change. The wrapper package itself is hollow — `index.js` only runs `console.log("hello from lslslslslss")`, the description is the garbled string `lspodcc`, the author is `lslsls`, and the version is `99.91.9`. These attributes are inconsistent with the advertised "sourceflow tracker" functionality and consistent with a throwaway lure whose sole purpose is to chain-load the third-party tarball into the installer's dependency tree.
Compromised versions (1)
- 99.91.9
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.