registry  /  @mp-op-ss-front-lib/tracks  /  99.9.1

@mp-op-ss-front-lib/tracks@99.9.1

AI Security Review

scanned 2h ago · by lpm-firewall-ai

No local malicious behavior is established. Installing resolves an unverified remote tarball dependency, creating an external supply-chain payload path.

Static reason
One or more suspicious static signals were detected.
Trigger
npm installation resolves dependencies
Impact
Remote dependency code may run according to its own package metadata; no local execution chain is present.
Mechanism
remote tarball dependency resolution
Rationale
The only meaningful risk is the unverified remote dependency; inspected local source is inert and has no lifecycle hooks. Downgrade to warn rather than block because no concrete attack behavior is present in this package.
Evidence
package.jsonindex.js
Network endpoints1
ltidi.storage.googleapis.com/depenconf/ltidisafe-3.4.3.tgz

Decision evidence

public snapshot
AI called this Suspicious at 79.0% confidence as Unknown with medium false-positive risk.
Evidence for warning
  • package.json declares dependency ltidisafe from a remote tarball URL.
  • Remote dependency contents are outside this extracted package and cannot be source-verified here.
Evidence against
  • package.json has no preinstall, install, postinstall, or prepare hooks.
  • index.js only exports an empty object.
  • Package contains only package.json and index.js; no local network, shell, eval, or file-write code.
Behavioral surface
SourceNo risky source behavior triggered.
Supply chain
Trivial
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 35 B of source

Source & flagged code

1 flagged · loading source
package.jsonView file
Remote tarball dependency specs: ltidisafe@https://ltidi.storage.googleapis.com/depenconf/ltidisafe-3.4.3.tgz
Medium
Remote Tarball Dependency

Package manifest contains a dependency pinned to a remote tarball URL.

package.jsonView on unpkg

Findings

1 Medium1 Low
MediumRemote Tarball Dependencypackage.json
LowScripts Present