OSV Malicious Advisory
scanned 3h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-10553 confirms this npm version as malicious. home-mp-commons@999.0.3 is an empty npm package (declared main index.js is absent from the tarball) whose sole effect on install is to resolve a single dependency 'ltidisafe' from a hardcoded off-registry URL at https://storage.googleapis.com/bowpentest/pack-home-mp-commons.tgz...
Advisory
MAL-2026-10553
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in home-mp-commons (npm)
Details
home-mp-commons@999.0.3 is an empty npm package (declared main index.js is absent from the tarball) whose sole effect on install is to resolve a single dependency 'ltidisafe' from a hardcoded off-registry URL at https://storage.googleapis.com/bowpentest/pack-home-mp-commons.tgz. On npm install, npm fetches and installs that tarball from an anonymous Google Cloud Storage bucket; any lifecycle scripts or main module inside the fetched tarball then execute on the installer's machine. The bucket contents are mutable and controlled by whoever owns the 'bowpentest' bucket, not by any documented publisher or the npm registry. The package name pattern combined with a 999.x.x version bump and an internal-sounding scope-free name is the canonical dependency-confusion delivery shape: a hollow lure that pulls attacker-controlled code into the installer's node_modules at install time.
Decision reason
OpenSSF Malicious Packages via OSV confirms home-mp-commons@999.0.3 as malicious (MAL-2026-10553): Malicious code in home-mp-commons (npm)
References
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 High
HighOsv Malicious Advisory