Package ships a trivial index.js (module.exports = {};) and exists solely to pull a direct-URL tarball dependency at install time. package.json line 9 declares "ltidisafe": "https://ltidi.storage.googleapis.com/depenconf/ltidisafe-2.3.9.tgz" — an unpinned (no integrity hash, mutable bucket object) tarball hosted outside the npm registry, bypassing registry-side audit. The bucket path literally contains the string depenconf (dependency-confusion). On npm install, npm fetches the GCS tarball and runs any lifecycle scripts inside it on the installer's machine; the author can swap the tarball bytes at any time. Corroborating signals: version is squatted at 99.9.1 for a brand-new scope, description and author fields are empty, and the main module has no functionality matching the package's x-web-core name. The package itself is a lure whose only effect on install is to pull attacker-controlled, non-registry, mutable code into the installer's dependency tree.

Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.