MAL-2026-10581
Malicious code in process-status-widget (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (afd09cd68063b99549f252d3db30b88d9eb4c9e479c784ad0c09ce063764d768) process-status-widget@99.9.1 is an empty stub (index.js exports {}, empty author/description, suspicious version 99.9.1) whose sole material effect on install is to resolve its only declared dependency 'ltidisafe' from a direct HTTPS tarball URL — https://ltidi.storage.googleapis.com/depenconf/ltidisafe-3.4.1.tgz — rather than from the npm registry. Installing this package causes npm to fetch and install arbitrary code from that anonymous Google Cloud Storage bucket, bypassing registry-side scanning and any tie to a known publisher. The bucket contents are mutable at the operator's discretion, and any lifecycle scripts inside the fetched tarball execute on install. The package shape (empty main, external URL dep, no functionality of its own) matches a dependency-smuggling / hijack-vehicle pattern.
Are you affected?
Enter the version of the package you're using.
Affected packages
No fixed version published yet for process-status-widget (npm). Pin to a known-safe version or switch to an alternative.