leo-cdk-lib @0.0.2
Vulnerability report · Last retrieved from osv.dev June 25, 2026 at 8:41 AM UTC
OSV ID
MAL-2026-6420
Ecosystem
npm
Summary
The package ships a binding.gyp at the root that contains GYP command-expansion syntax (<!(...)) inside the targets/sources fields. npm implicitly runs node-gyp rebuild whenever a binding.gyp is present, even without a declared install/postinstall script, and GYP evaluates <!(...) as a shell command during the configure step. This causes the embedded command to execute automatically on npm install , functionally equivalent to a lifecycle hook. The package does not ship corresponding native source files (.c/.cc/.cpp/.h) that would justify a real node-gyp build, indicating the binding.gyp's purpose is to run the embedded command rather than to build a native addon.
Source: amazon-inspector (0c00b5f0c306cb1af4497ed1726f1889b62a9b20d64de1dceb3181fbd7ca263b)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.