calvuepro @0.1.0
Vulnerability report · Last retrieved from osv.dev July 10, 2026 at 1:30 AM UTC
OSV ID
MAL-2026-7028
Ecosystem
npm
Summary
Package ships a 5.7MB prebuilt darwin-arm64 Mach-O at vendor/clavuepro-darwin-arm64 with no source tree, no hash/signature verification, and no upstream release URL to cross-reference. The bin wrapper bin/calvuepro.js chmods the binary 0755 and spawns it with the caller's argv via spawnSync. There are no lifecycle scripts and no main field, so the binary executes only when a user explicitly runs the CLI — not on npm install or require() . Notable inconsistency: the npm package name is calvuepro while the shipped binary, repository (mycode699/clavue-v2), and CLI alias all use clavuepro — a one-character difference that is worth a human review of publisher identity before trusting lifecycle execution of opaque native code. No exfiltration, no credential access, no install-time fetch+execute, and no network behavior was observed in the loader script.
Source: amazon-inspector (9de2057a076c31ca107db2c3e8d330a7b4aa2d8d67896cecd6c7ebef21d07731)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.