MAL-2026-5517

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (cadcdda902675162dd9cfabd9d8133986723d4c956437633f36a5a07b776ef59) firefly-utilities-helper@99.9.1 ships an empty stub (index.js: `module.exports = {};`) with no description, author, or repository, but declares a single dependency `ltidisafe` as a direct tarball URL: `https://ltidi.storage.googleapis.com/depenconf/ltidisafe-3.0.6.tgz`. The bucket is on Google Cloud Storage, unrelated to any documented publisher, and the bucket/path naming (`ltidi`/`depenconf`) is consistent with a dependency-confusion staging area. URL-tarball dependencies bypass the npm registry's visibility, signature, and tooling — `npm install` will fetch the.tgz directly and execute any preinstall/install/postinstall lifecycle scripts it ships, with no hash pin, no signature, and no registry review. The wrapper contributes no functionality; its only effect on install is to smuggle the off-registry tarball into the installer's dependency tree. The high version number (99.9.1) and absent metadata are also consistent with a dependency-confusion lure intended to outrank an internal package of the same name.

## Source: ossf-package-analysis (783cf770777fff7cfffc2abec6cebd37f9e11f9e219c95e9879dda1222f9177c) The OpenSSF Package Analysis project identified 'firefly-utilities-helper' @ 99.9.1 (npm) as malicious.

It is considered malicious because:

- The package communicates with a domain associated with malicious activity.