registry  /  home-sections-web-ui  /  99.9.9

home-sections-web-ui@99.9.9

lspodcc

AI Security Review

scanned 2h ago · by lpm-firewall-ai

No confirmed malicious code exists in the inspected package source. Installing it resolves an uninspected remote tarball dependency.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install of home-sections-web-ui@99.9.9
Impact
Uninspected dependency code could execute through its own lifecycle or runtime behavior.
Mechanism
remote tarball dependency resolution
Rationale
Source inspection found no concrete malicious behavior in this package, but the remote tarball dependency creates an unresolved supply-chain execution risk on installation. Warn rather than block because the inspected source does not establish malicious intent or payload behavior.
Evidence
package.jsonindex.js
Network endpoints1
storage.googleapis.com/lscunpentest/pack_ux_foundry.tgz

OSV Corroboration

OpenSSF/OSV
Advisory
MAL-2026-10443
Source
OpenSSF Malicious Packages via OSV
Summary
Source inspection found no concrete malicious behavior in this package, but the remote tarball dependency creates an unresolved supply-chain execution risk on installation. Warn rather than block because the inspected source does not establish malicious intent or payload behavior.
References

Decision evidence

public snapshot
AI called this Suspicious at 84.0% confidence as Unknown with medium false-positive risk.
Evidence for warning
  • `package.json` declares `ltidisafe` from a remote Google Cloud Storage tarball.
  • The remote dependency is fetched during npm dependency installation and its source is not present for inspection.
Evidence against
  • `package.json` has no preinstall, install, or postinstall hook.
  • `index.js` only logs a fixed greeting.
  • Package contains only `package.json` and `index.js`; no file, credential, shell, or network logic was found.
Behavioral surface
SourceNo risky source behavior triggered.
Supply chain
Trivial
Manifest
NoLicense
scanned 1 file(s), 38 B of source

Source & flagged code

1 flagged · loading source
package.jsonView file
Remote tarball dependency specs: ltidisafe@https://storage.googleapis.com/lscunpentest/pack_ux_foundry.tgz
Medium
Remote Tarball Dependency

Package manifest contains a dependency pinned to a remote tarball URL.

package.jsonView on unpkg

Findings

1 Medium2 Low
MediumRemote Tarball Dependencypackage.json
LowScripts Present
LowNo License