hexo-deployer-wrangler @1.0.4
Vulnerability report · Last retrieved from osv.dev June 26, 2026 at 2:46 AM UTC
OSV ID
MAL-2026-6491
Ecosystem
npm
Summary
The package ships a binding.gyp file (line 6) containing GYP command-expansion syntax ( <!(...) ) inside the targets/sources fields. npm implicitly runs node-gyp rebuild whenever a binding.gyp is present — even without a declared install/postinstall script — and GYP evaluates <!(...) as a shell command during the configure step. This causes arbitrary code execution on the installer's machine on default npm install , functionally identical to a lifecycle hook. The package does not ship any native source files (no.c/.cc/.cpp/.h) that would justify a real node-gyp build configuration, indicating the binding.gyp's sole purpose is to run the embedded shell command. The package name also impersonates the legitimate hexo-deployer-* ecosystem combined with Cloudflare's wrangler tooling, a typical lure pattern.
Source: amazon-inspector (ebc95a6a1ae1e522feabf03446f9791372191e27ca9da454717559b6cc6948eb)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.