VDB
KO

MAL-2026-5159

Malicious code in po-ops-local-dev (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (c7d0f2e829316d0c6a04bc41fb4d187569c00c3273384b1666d3068a0e696291) po-ops-local-dev@99.9.1 has no functional code of its own (index.js contains only `module.exports = {};` and there are no lifecycle scripts). Its sole effect on install is to pull `ltidisafe` directly from `https://ltidi.storage.googleapis.com/depenconf/ltidisafe-2.9.2.tgz` — a Google Cloud Storage bucket, not the npm registry. The package name `po-ops-local-dev` combined with the `depenconf` path segment in the tarball URL is consistent with a dependency-confusion staging or research artifact. On `npm install`, npm fetches that tarball and runs any lifecycle scripts it contains; the contents at that GCS URL are mutable and outside npm's integrity verification. The actual installer impact depends entirely on what bytes the GCS bucket serves, which were not inspected here.

## Source: ossf-package-analysis (ed7a024c524e1a4bc29e2670d7dc00e5aa4c6891650c3c6bf38a2f388f4a3cb9) The OpenSSF Package Analysis project identified 'po-ops-local-dev' @ 99.9.1 (npm) as malicious.

It is considered malicious because:

- The package communicates with a domain associated with malicious activity.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / po-ops-local-dev

No fixed version published yet for po-ops-local-dev (npm). Pin to a known-safe version or switch to an alternative.

References