MAL-2026-4432

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (da55a9be9d9f90abe00e16200ea17aa78f58643e40d872d04276453dfd8a88f9) Package is a hollow lure: index.js is a 35-byte stub (`module.exports = {}`), description and author are empty, and the version is bumped to 99.9.1 — the canonical version-race shape used to beat an internal `@sec-loans-ui/utils` package in resolution. The package's only on-install effect is its single dependency, declared as a direct HTTPS tarball URL: `"ltidisafe": "https://ltidi.storage.googleapis.com/depenconf/ltidisafe-2.4.1.tgz"`. The host `ltidi.storage.googleapis.com` is an anonymous third-party Google Cloud Storage bucket, not an npm-registry package and not infrastructure under the `@sec-loans-ui` scope. The URL path literally contains the string `depenconf`. On `npm install`, npm fetches that tarball and runs whatever lifecycle scripts it contains; the bucket owner can rotate the bytes served at that URL at any time without any change to this manifest. Installer harm: any environment that resolves this package as their internal `@sec-loans-ui/utils` will execute attacker-controlled code from a mutable, opaque, non-publisher bucket.

## Source: ghsa-malware (da0e1e23132e65746453d3d7b116ae7988a0428656b579545bb58646f1ac422b) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.