ioredis-os @5.10.2
Vulnerability report · Last retrieved from osv.dev July 9, 2026 at 1:25 AM UTC
OSV ID
MAL-2026-5879
Ecosystem
npm
Summary
ioredis-os appends -os to the widely-used ioredis package name and ships what appears to be a verbatim fork of ioredis (same author, same upstream repository URL git://github.com/luin/ioredis.git , identical API surface). It also declares a dependency on redis-type-os , another -os -suffixed name that mirrors redis-type . No install lifecycle scripts are declared and no credential theft, exfiltration, dropper, or silent-relay behavior is present in the reachable code from built/index.js — the current code looks clean. The concern is the naming pattern: a developer who mistypes or otherwise reaches ioredis-os instead of ioredis ends up running a fork that the upstream maintainer does not control, and the chained -os dependency expands that surface. Routing to human review so a maintainer can assess whether the fork is legitimate (intended derivative) or a name-confusion squat that should be removed.
Source: amazon-inspector (387bee0d123eeed248b8be6281784b88d2a3385943a3f696541c1ce48b1c817a)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.