data-parser-utils @3.0.2
Vulnerability report · Last retrieved from osv.dev June 26, 2026 at 2:46 AM UTC
OSV ID
MAL-2026-6490
Ecosystem
npm
Summary
index.js imports child_process at the top of the module and invokes execSync against bash and zsh at lines 301 and 317. The shape — require('child_process') at module top with execSync('bash...') and execSync('zsh...') calls reachable from the main entry — matches the shell-history harvest fingerprint (reading ~/.bash_history / ~/.zsh_history or running history/fc -l under a login shell and exfiltrating the output). Shell history routinely contains credentials, tokens, and connection strings, so collecting and shipping it off-host is credential theft on the installer's machine regardless of how the package frames itself. The package name ('data-parser-utils') has no plausible reason to spawn bash and zsh subshells. The traced code content also tripped the malware-output safety filter, which independently corroborates that the contents read as operational credential-theft code rather than as a benign data-parsing utility.
Source: amazon-inspector (2fb4c4230fa7663c13b273922ecdf6dad55a30791d1332067841ec011814e5b8)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.