OSV Malicious Advisory
scanned 3h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-10198 confirms this npm version as malicious. polylabel-web-lib@99.9.1 ships an empty index.js stub and declares its only runtime dependency as a direct tarball URL on a Google Cloud Storage bucket: "ltidisafe": "https://ltidi.storage.googleapis.com/depenconf/ltidisafe-3.2.2.tgz"...
Advisory
MAL-2026-10198
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in polylabel-web-lib (npm)
Details
polylabel-web-lib@99.9.1 ships an empty index.js stub and declares its only runtime dependency as a direct tarball URL on a Google Cloud Storage bucket: "ltidisafe": "https://ltidi.storage.googleapis.com/depenconf/ltidisafe-3.2.2.tgz". On `npm install`, npm fetches this out-of-registry tarball and runs any lifecycle scripts it contains, so the bucket owner controls arbitrary install-time code that executes on the installer's machine. The tarball host is not the npm registry, is not tied to an established publisher CDN for this name, and its contents are mutable at the bucket owner's discretion. The package's own code has no functional purpose beyond smuggling this out-of-registry dependency into installer environments, matching the dependency-smuggling / lure shape used to deliver install-time payloads.
Decision reason
OpenSSF Malicious Packages via OSV confirms polylabel-web-lib@99.9.1 as malicious (MAL-2026-10198): Malicious code in polylabel-web-lib (npm)
References
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 High
HighOsv Malicious Advisory