leo-cache @1.0.2
Vulnerability report · Last retrieved from osv.dev June 25, 2026 at 8:41 AM UTC
OSV ID
MAL-2026-6419
Ecosystem
npm
Summary
The package ships a binding.gyp at the package root that uses GYP command-expansion syntax ( <!(...) ) at line 6 within the targets/sources fields. npm implicitly runs node-gyp rebuild whenever a binding.gyp is present (even with no declared install/postinstall script), and GYP evaluates <!(...) as a shell command during its configure step. This causes the embedded command to execute automatically on npm install , functionally equivalent to a lifecycle hook running arbitrary shell. This pattern is a known install-time code execution vector used to disguise execution as a native-addon build configuration.
Source: amazon-inspector (b4e18f4565cc6df3a4011a9e35edaa348d84f36a6e1b3e8816748baec5ef567a)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.