MAL-2026-10422: Malicious code in sso-users-detection (npm)
The npm package sso-users-detection version 99.9.1 is identified as a hollow package with no legitimate content. Its installation causes npm to fetch and install a runtime dependency named ltdisafe from a third-party Google Cloud Storage bucket, bypassing npm registry scanning. This behavior is consistent with a dependency confusion attack designed to smuggle attacker-controlled code into the dependency tree.
AI Analysis
Technical Summary
The sso-users-detection package at version 99.9.1 is a malicious npm package that acts as a dependency confusion lure. It contains no meaningful exports or metadata and uses an inflated version number. Upon installation, it pulls a runtime dependency (ltidisafe) from a raw tarball hosted on a third-party Google Cloud Storage bucket rather than the official npm registry. This external tarball and its lifecycle scripts are fully controlled by the attacker, allowing arbitrary code execution during installation. The package's design bypasses npm registry scanning, increasing the risk of unnoticed malicious code execution in projects that include it.
Potential Impact
If installed, this package causes npm to execute attacker-controlled code from an external source during the installation process. This can lead to arbitrary code execution on the developer's machine or build environment, potentially compromising the system or the software supply chain. The malicious package does not appear to have known exploits in the wild at this time.
Mitigation Recommendations
No official patch or fix is available for this package. The best mitigation is to avoid installing sso-users-detection version 99.9.1 and audit dependencies for suspicious or hollow packages. Since the malicious code is hosted outside the npm registry, reliance on npm registry scanning alone is insufficient. Developers should verify package provenance and avoid dependencies with empty metadata and unusual versioning. Monitoring for updates or advisories from npm or security vendors is recommended.
MAL-2026-10422: Malicious code in sso-users-detection (npm)
Description
The npm package sso-users-detection version 99.9.1 is identified as a hollow package with no legitimate content. Its installation causes npm to fetch and install a runtime dependency named ltdisafe from a third-party Google Cloud Storage bucket, bypassing npm registry scanning. This behavior is consistent with a dependency confusion attack designed to smuggle attacker-controlled code into the dependency tree.
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The sso-users-detection package at version 99.9.1 is a malicious npm package that acts as a dependency confusion lure. It contains no meaningful exports or metadata and uses an inflated version number. Upon installation, it pulls a runtime dependency (ltidisafe) from a raw tarball hosted on a third-party Google Cloud Storage bucket rather than the official npm registry. This external tarball and its lifecycle scripts are fully controlled by the attacker, allowing arbitrary code execution during installation. The package's design bypasses npm registry scanning, increasing the risk of unnoticed malicious code execution in projects that include it.
Potential Impact
If installed, this package causes npm to execute attacker-controlled code from an external source during the installation process. This can lead to arbitrary code execution on the developer's machine or build environment, potentially compromising the system or the software supply chain. The malicious package does not appear to have known exploits in the wild at this time.
Mitigation Recommendations
No official patch or fix is available for this package. The best mitigation is to avoid installing sso-users-detection version 99.9.1 and audit dependencies for suspicious or hollow packages. Since the malicious code is hosted outside the npm registry, reliance on npm registry scanning alone is insufficient. Developers should verify package provenance and avoid dependencies with empty metadata and unusual versioning. Monitoring for updates or advisories from npm or security vendors is recommended.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- MAL-2026-10422
- Osv Schema Version
- 1.7.4
- Aliases
- []
- Ecosystems
- ["npm"]
- Database Specific Severity
- null
- Cvss Version
- null
Threat ID: 6a54ad9c68715ace438f3cd7
Added to database: 07/13/2026, 09:19:24 UTC
Last enriched: 07/13/2026, 09:26:33 UTC
Last updated: 07/13/2026, 09:26:33 UTC
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.