MAL-2026-10553
Malicious code in home-mp-commons (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (885b9dad73e9eeb07a1fcb4a94493ec85573f656f7b9347a8682f56db359cfd6) home-mp-commons@999.0.3 is an empty npm package (declared main index.js is absent from the tarball) whose sole effect on install is to resolve a single dependency 'ltidisafe' from a hardcoded off-registry URL at https://storage.googleapis.com/bowpentest/pack-home-mp-commons.tgz. On npm install, npm fetches and installs that tarball from an anonymous Google Cloud Storage bucket; any lifecycle scripts or main module inside the fetched tarball then execute on the installer's machine. The bucket contents are mutable and controlled by whoever owns the 'bowpentest' bucket, not by any documented publisher or the npm registry. The package name pattern combined with a 999.x.x version bump and an internal-sounding scope-free name is the canonical dependency-confusion delivery shape: a hollow lure that pulls attacker-controlled code into the installer's node_modules at install time.
Are you affected?
Enter the version of the package you're using.
Affected packages
No fixed version published yet for home-mp-commons (npm). Pin to a known-safe version or switch to an alternative.