MAL-2026-6546

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (c3d966501b5f533318c26b54887cd29b3cd6c9495035a0f74519ba349357e3eb) ryan-pdf-js@99.9.1 is an empty stub package (index.js exports {}) whose sole purpose is to deliver an off-registry payload at install time. Its package.json declares its only dependency, `ltidisafe`, as a direct HTTPS tarball URL on a generic Google Cloud Storage bucket (https://ltidi.storage.googleapis.com/depenconf/ltidisafe-3.1.1.tgz) rather than a registry name, bypassing npm registry scanning. On `npm install`, npm fetches and unpacks that tarball, and any lifecycle scripts it contains execute on the installer's machine. The bucket path `depenconf/` is consistent with dependency-confusion staging, and the package name evokes the widely-used pdf.js ecosystem while shipping no real implementation — a typosquat-shaped lure whose only effect is to route installs through the off-registry dropper.