—

MAL-2026-5028

Malicious code in sorenson-webfonts (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (d45b3e803fc04f697e067f5dfbc9a9c37878d1b7faed2ad4aea69dd9bed25c32) sorenson-webfonts@99.9.1 is a hollow package: index.js is a 2-line stub (`'use strict'; module.exports = {};`), author/description fields are empty, and the version number 99.9.1 is the high-version pattern characteristic of dependency-confusion attempts to override an internal package. The package's only effect on install is to pull a single dependency, `ltidisafe`, directly from an HTTPS tarball URL on a Google Cloud Storage bucket (`https://ltidi.storage.googleapis.com/depenconf/ltidisafe-2.8.2.tgz`) — a non-registry, non-publisher location whose path segment `depenconf` suggests dependency-confusion staging. Resolving this dependency causes npm to fetch and execute the lifecycle scripts of an off-registry tarball whose contents are not pinned by integrity hash and not subject to registry review. The package name (`sorenson-webfonts`) bears no relation to the dependency name or to any stated purpose; there is no advertised webfont functionality in the shipped code. The combination of empty body, placeholder metadata, 99.9.x version, and an unrelated off-registry tarball pulled from a bucket path named after dependency confusion is the smuggling-vehicle shape rather than a legitimate library.

## Source: ghsa-malware (a7a85f8e229c782c539b789ce76318de0a70b62a6b6ba1b00f14407c01d83a9b) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

## Source: ossf-package-analysis (ebdc541a49aeb340c75d6a96abee6465496dc22a04e82be2f03b85b2be1c3881) The OpenSSF Package Analysis project identified 'sorenson-webfonts' @ 99.9.1 (npm) as malicious.

It is considered malicious because:

- The package communicates with a domain associated with malicious activity.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / sorenson-webfonts

Introduced in: 0

No fixed version published yet for sorenson-webfonts (npm). Pin to a known-safe version or switch to an alternative.

References

https://www.npmjs.com/package/sorenson-webfonts/v/99.9.1 [PACKAGE]
https://github.com/advisories/GHSA-jfh5-5qvf-47fj [ADVISORY]