OSV ID
MAL-2026-6421
Ecosystem
npm
Summary
The package ships a binding.gyp file containing GYP command-expansion syntax ( <!(...) ) in its target configuration. npm implicitly invokes node-gyp rebuild whenever a binding.gyp is present — even without an explicit install/postinstall script — and node-gyp evaluates <!(...) expressions as shell commands during the configure step. This causes arbitrary shell execution on the installer's machine on npm install , functionally equivalent to a lifecycle hook. Additional files (docker/run.js, docker-run.js, lib/build.js, lib/defaultCronRunner.js) combine child_process and outbound HTTP usage, broadening the install/runtime risk surface, though the binding.gyp command-expansion alone is sufficient grounds for installer-side concern.
Source: amazon-inspector (520c95e9cea55807cedb7f42a819fdb63febb61fe9a392b3de8f31f129cfa0fc)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.