hexo-shoka-swiper @0.1.10
Vulnerability report · Last retrieved from osv.dev June 26, 2026 at 2:46 AM UTC
OSV ID
MAL-2026-6492
Ecosystem
npm
Summary
The package ships a binding.gyp whose sources field uses GYP command-expansion syntax (<!(...)) at line 6. npm implicitly runs node-gyp rebuild whenever a binding.gyp is present (even with no declared install/postinstall script), and GYP evaluates <!(...) as a shell invocation during the configure step. This means simply running npm install hexo-shoka-swiper causes the embedded shell command to execute on the installer's machine. The package's nominal purpose is a Hexo theme Swiper integration — a pure JavaScript front-end concern with no legitimate need to build a native addon or to evaluate shell at install. The binding.gyp here functions as a lifecycle-hook substitute for arbitrary install-time code execution rather than as a real native-build description.
Source: amazon-inspector (62f045b55721408d94a92f5d65b58d69c98d3dc29d5f4f9327fb8edb4f85eaad)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.