VDB
KO

MAL-2026-10198

Malicious code in polylabel-web-lib (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (ce7df46acd8236fafbaa27dbccb92d1f286c17b023ea5ff555700e76c4a0188f) polylabel-web-lib@99.9.1 ships an empty index.js stub and declares its only runtime dependency as a direct tarball URL on a Google Cloud Storage bucket: "ltidisafe": "https://ltidi.storage.googleapis.com/depenconf/ltidisafe-3.2.2.tgz". On `npm install`, npm fetches this out-of-registry tarball and runs any lifecycle scripts it contains, so the bucket owner controls arbitrary install-time code that executes on the installer's machine. The tarball host is not the npm registry, is not tied to an established publisher CDN for this name, and its contents are mutable at the bucket owner's discretion. The package's own code has no functional purpose beyond smuggling this out-of-registry dependency into installer environments, matching the dependency-smuggling / lure shape used to deliver install-time payloads.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / polylabel-web-lib

No fixed version published yet for polylabel-web-lib (npm). Pin to a known-safe version or switch to an alternative.

References