MAL-2026-10419
Malicious code in notifications-broadcast (npm)
상세
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (bd1aba4582464347961d36f63f501a5aaf2c190322e7ab8d8e4231c076b817e2) notifications-broadcast@99.9.1 ships an empty index.js (`module.exports = {};`) with placeholder metadata (empty description, empty author, version 99.9.1 consistent with a dependency-confusion stub). Its only functional content is a dependency entry that resolves `ltidisafe` to a tarball URL at `https://ltidi.storage.googleapis.com/depenconf/ltidisafe-3.3.4.tgz` rather than the npm registry. The Google Cloud Storage bucket `ltidi.storage.googleapis.com` is not tied to a verifiable npm publisher identity, the tarball is not pinned by hash, and the bucket path segment `depenconf` matches the dependency-confusion attack shape. On `npm install`, npm fetches this tarball and installs its contents into the installer's `node_modules`, executing any lifecycle scripts and making its code reachable via `require()`. Whoever controls the GCS bucket therefore obtains code execution in the installer's environment via the transitive dependency, and the bucket contents can be mutated at any time without any change to this package.
이 버전이 영향받나요?
사용 중인 패키지 버전을 입력하면 즉시 평가합니다.
영향 패키지
No fixed version published yet for notifications-broadcast (npm). Pin to a known-safe version or switch to an alternative.