MAL-2026-6989
Malicious code in ag-charts-test (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (29c50b5a47dde18daf83760926662df3b9890de074cc00938de04892ac79a4d9) ag-charts-test@99.9.1 is a hollow package (empty index.js, no scripts, no documented functionality) whose sole effect on installers is resolving its single dependency `ltidisafe` from a direct HTTPS tarball URL on a third-party Google Cloud Storage bucket (`https://ltidi.storage.googleapis.com/depenconf/ltidisafe-3.1.9.tgz`) rather than through the npm registry. On `npm install`, the tarball is fetched from that bucket and its contents — including any lifecycle scripts — execute on the installer's machine. The bucket owner can mutate the tarball at any time, so the executed bytes are attacker-controlled. The package name mimics the AG Charts / AG Grid namespace and the inflated `99.9.1` version, combined with the `depenconf` path segment on the bucket URL, is the canonical dependency-confusion shape (outbidding an internal `ag-charts-*` name to force resolution of the attacker's package into a private build). No legitimate purpose is documented and the package ships no code of its own.
Are you affected?
Enter the version of the package you're using.
Affected packages
No fixed version published yet for ag-charts-test (npm). Pin to a known-safe version or switch to an alternative.