MAL-2026-10415
Malicious code in frontend-regulations (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (6d88817d57907505adf7d303019c78adceb6da7bedf1e3416f2b9a1e80605ca1) frontend-regulations@99.9.1 is a near-empty wrapper (index.js exports an empty object) whose package.json declares the dependency 'ltidisafe' with the URL https://ltidi.storage.googleapis.com/depenconf/ltidisafe-3.3.3.tgz instead of a registry version. Installing this package causes npm to fetch a tarball from a Google Cloud Storage bucket unrelated to any documented publisher and place it into the installer's node_modules, where its lifecycle scripts and main entry execute during `npm install`. The wrapper package itself provides no functionality; its only effect is to smuggle the externally-hosted tarball into the dependency tree. The suspiciously high version number (99.9.1) combined with a hollow main entry and an off-registry dependency URL matches the dependency-chain dropper pattern.
Are you affected?
Enter the version of the package you're using.
Affected packages
No fixed version published yet for frontend-regulations (npm). Pin to a known-safe version or switch to an alternative.