OSV Malicious Advisory
scanned 2h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-6989 confirms this npm version as malicious. ag-charts-test@99.9.1 is a hollow package (empty index.js, no scripts, no documented functionality) whose sole effect on installers is resolving its single dependency `ltidisafe` from a direct HTTPS tarball URL on a third-party Google Cloud Storage bucket (`https://ltidi.storage.googleapis.com/depenconf/ltidisafe-3.1.9.tgz`) rather than through the npm registry...
Advisory
MAL-2026-6989
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in ag-charts-test (npm)
Details
ag-charts-test@99.9.1 is a hollow package (empty index.js, no scripts, no documented functionality) whose sole effect on installers is resolving its single dependency `ltidisafe` from a direct HTTPS tarball URL on a third-party Google Cloud Storage bucket (`https://ltidi.storage.googleapis.com/depenconf/ltidisafe-3.1.9.tgz`) rather than through the npm registry. On `npm install`, the tarball is fetched from that bucket and its contents — including any lifecycle scripts — execute on the installer's machine. The bucket owner can mutate the tarball at any time, so the executed bytes are attacker-controlled. The package name mimics the AG Charts / AG Grid namespace and the inflated `99.9.1` version, combined with the `depenconf` path segment on the bucket URL, is the canonical dependency-confusion shape (outbidding an internal `ag-charts-*` name to force resolution of the attacker's package into a private build). No legitimate purpose is documented and the package ships no code of its own.
Decision reason
OpenSSF Malicious Packages via OSV confirms ag-charts-test@99.9.1 as malicious (MAL-2026-6989): Malicious code in ag-charts-test (npm)
References
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 High
HighOsv Malicious Advisory