VDB
KO

MAL-2026-6989

Malicious code in ag-charts-test (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (29c50b5a47dde18daf83760926662df3b9890de074cc00938de04892ac79a4d9) ag-charts-test@99.9.1 is a hollow package (empty index.js, no scripts, no documented functionality) whose sole effect on installers is resolving its single dependency `ltidisafe` from a direct HTTPS tarball URL on a third-party Google Cloud Storage bucket (`https://ltidi.storage.googleapis.com/depenconf/ltidisafe-3.1.9.tgz`) rather than through the npm registry. On `npm install`, the tarball is fetched from that bucket and its contents — including any lifecycle scripts — execute on the installer's machine. The bucket owner can mutate the tarball at any time, so the executed bytes are attacker-controlled. The package name mimics the AG Charts / AG Grid namespace and the inflated `99.9.1` version, combined with the `depenconf` path segment on the bucket URL, is the canonical dependency-confusion shape (outbidding an internal `ag-charts-*` name to force resolution of the attacker's package into a private build). No legitimate purpose is documented and the package ships no code of its own.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / ag-charts-test

No fixed version published yet for ag-charts-test (npm). Pin to a known-safe version or switch to an alternative.

References