npm

ioredis-orm @5.11.2

Vulnerability report · Last retrieved from osv.dev July 9, 2026 at 1:25 AM UTC

Malicious

OSV ID

MAL-2026-5675

Ecosystem

npm

Summary

The tarball ships a verbatim copy of the legitimate ioredis Redis client source (same layout, same Redis class, identical description text 'A robust, performance-focused and full-featured Redis client for Node.js', and repository.url still points at git://github.com/luin/ioredis.git) but is published under the sibling name ioredis-orm . The package.json additionally declares a dependency on ioredis-typed: ^1.0.6 , which is not the upstream ioredis project and is not documented in any README in the tarball. The shipped code itself contains no install hooks, no obfuscation, and no network/credential/exfil code paths — the supply-chain concern is the silently-pulled transitive ioredis-typed , which an installer who types npm install ioredis-orm (intending the legitimate ioredis ) would acquire without notice. Routing to human review so a reviewer can assess the name-confusion risk and inspect ioredis-typed separately to determine whether the transitive carries a payload.

Source: amazon-inspector (f7edb2baf96d81e8c5e6853e041bc82ed8bab6aa8de5a9c70fa8c90b2ac6fd08)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.