MAL-2026-6095

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (f612eb2fa947323c936a0bb1becc602f0f837f9023edac22a945470566386a8c) oem-agentic-shared@99.9.1 is a hollow stub: index.js exports an empty object and package.json has empty author, empty description, and no real functionality. Its sole effect on install is to pull in a single dependency declared as a direct HTTPS tarball URL — `ltidisafe` pinned to `https://ltidi.storage.googleapis.com/depenconf/ltidisafe-3.0.9.tgz` — instead of an npm-registry version. The Google Cloud Storage bucket is not associated with this package's name and is not a known publisher CDN, so the tarball contents bypass npm-registry scanning entirely and any lifecycle scripts inside that tarball execute on `npm install`. The wrapper-plus-off-registry-tarball shape is a known smuggling pattern whose only purpose is to inject attacker-controlled, unscanned code into the installer's dependency graph.