VDB
KO

MAL-2026-10443

Malicious code in home-sections-web-ui (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (2e6c206f8844e1ff870876bc1ac8cdf2b10ee2c36caf61883eb5a8f03caa5405) package.json declares the dependency `ltidisafe` as a direct tarball URL (`https://storage.googleapis.com/lscunpentest/pack_ux_foundry.tgz`) hosted on an anonymous Google Cloud Storage bucket unrelated to any known publisher. Installing this package causes npm to fetch and install arbitrary, attacker-mutable JavaScript from that URL into the installer's dependency tree, bypassing the npm registry entirely. Package metadata is consistent with a throwaway lure: nonsensical author (`lslsls`), placeholder description (`lspodcc`), version `99.9.9`, and a bucket name (`lscunpentest`) suggesting pen-test / dependency-confusion tooling. The fetched tarball's contents are not pinned by hash and can be swapped at any time by whoever controls the bucket.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / home-sections-web-ui

No fixed version published yet for home-sections-web-ui (npm). Pin to a known-safe version or switch to an alternative.

References