OSV ID
MAL-2026-6418
Ecosystem
npm
Summary
The package contains a binding.gyp at the tarball root whose contents use GYP command-expansion syntax (<!(...) / <!@(...)) on line 6. npm implicitly runs node-gyp rebuild whenever a binding.gyp is present in the package, even without any declared install/postinstall script, and node-gyp's configure step evaluates <!(...) expressions as shell commands. This causes the embedded command to execute on every npm install of leo-aws. The package ships no native C/C++ source files (no.c/.cc/.cpp/.h), so the binding.gyp has no legitimate build purpose — its only effect is to run the embedded shell command at install time. This is functionally equivalent to a postinstall hook and is a well-known supply-chain attack technique for hiding install-time code execution from cursory script-field inspection.
Source: amazon-inspector (914680f83c4971cb6bc16c3ef608f4c1e8a73a25769911d5d9076ad91c935f63)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.