@node-cloud/create @1.0.5
Vulnerability report · Last retrieved from osv.dev July 9, 2026 at 1:25 AM UTC
OSV ID
MAL-2026-6741
Ecosystem
npm
Summary
index.js unconditionally requires @sql-trigger/nodesql at the top of the main file ( var ins = require('@sql-trigger/nodesql'); ) but never references the imported value anywhere else in the package. The package's stated purpose is an npm publish helper exposing localPackage , remoteVersion , and publish via the npm programmatic API; the @sql-trigger-scoped dependency has no functional role in that purpose and belongs to an unrelated scope from a different publisher. The shape — innocuous wrapper code plus a publisher-mismatched, purpose-mismatched dependency that fires on require — is consistent with dependency smuggling, where the visible package serves only to land a sibling-scoped package onto installer machines at module load. The package itself contains no install-time lifecycle hook and no exfiltration code; the Travis-gated npm.registry.adduser path reads NPM_USERNAME/PASSWORD/EMAIL only when a consumer explicitly invokes publish() under Travis and sends them to the legitimate npm registry, which is the documented behavior of a publish helper and not a concern. The risk hinges on the contents and intent of @sql-trigger/nodesql , which must be evaluated separately to determine whether installer harm actually fires.
Source: amazon-inspector (e66147a84e0fc5236544fe38349b5a8cd03c3988695c485bd0e7c270dffd2cb2)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.