VDB
KO

MAL-2026-10422

Malicious code in sso-users-detection (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (dc80441472ec24451f83aebdc186d5bc532ddadaac8888d3d30b72c17c94f993) sso-users-detection@99.9.1 is a hollow package (main exports `{}`, empty author/description, inflated 99.9.1 version) whose sole effect on install is to pull a runtime dependency named `ltidisafe` from a raw tarball URL on a third-party Google Cloud Storage bucket (`https://ltidi.storage.googleapis.com/depenconf/ltidisafe-3.3.1.tgz`) instead of the npm registry. On `npm install`, npm fetches and installs that tarball, whose contents and lifecycle scripts (preinstall/install/postinstall) are entirely controlled by whoever owns the bucket and bypass npm registry scanning. The `depenconf` path segment, the inflated version number, and the empty index are consistent with a dependency-confusion lure whose only purpose is to smuggle attacker-controlled code into installer dependency trees.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / sso-users-detection

No fixed version published yet for sso-users-detection (npm). Pin to a known-safe version or switch to an alternative.

References