VDB
KO

MAL-2026-10421

Malicious code in portway (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (e04dc52cd77658d168578535fb67d77ea76de79beadb77e14c96f023f4e51772) package.json declares the dependency 'ltidisafe' as a direct https tarball URL (https://ltidi.storage.googleapis.com/depenconf/ltidisafe-3.3.2.tgz) rather than a package on the npm registry. On `npm install portway`, npm fetches that tarball and installs its contents into the installer's node_modules. The URL points to a generic Google Cloud Storage bucket unrelated to any established publisher, is not pinned by integrity hash, and is mutable by whoever controls the bucket. The bucket contents bypass npm registry review and are not visible to registry-side scanners. The package itself ships an empty index.js and no lifecycle scripts, so its only effect on installation is pulling this off-registry tarball into the installer's dependency graph, where its code runs under the normal require/lifecycle rules of whatever it contains.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / portway

No fixed version published yet for portway (npm). Pin to a known-safe version or switch to an alternative.

References