npm

block-slot @1.0.9

Vulnerability report · Last retrieved from osv.dev July 10, 2026 at 1:30 AM UTC

Malicious

OSV ID

MAL-2026-6416

Ecosystem

npm

Summary

Pattern matches fired on index.js for the co-occurrence of child_process require, HTTP GET calls, and env-related keywords within a single file. No traced code path was confirmed to perform exfiltration, install-time fetch-and-execute, silent-relay, or credential harvesting. The matches may reflect benign composition (e.g., a CLI that spawns subprocesses and makes outbound HTTP requests for documented purposes), but the bundle's intent could not be verified from pattern signals alone. A human reviewer should de-minify or read index.js to confirm whether the HTTP destinations are attacker-controlled, whether process.env contents are sent outbound, and whether any of this fires at install/require time versus only on explicit CLI invocation.

Source: amazon-inspector (c9443517fbcf695478ab489e9a375823ed1a0030cf6a3a4f6262effca4c5406b)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.