leo-config @1.1.1
Vulnerability report · Last retrieved from osv.dev June 25, 2026 at 8:41 AM UTC
OSV ID
MAL-2026-6422
Ecosystem
npm
Summary
The package ships a binding.gyp containing GYP command-expansion syntax ( <!(...) ) at line 6 within the targets/sources fields. npm implicitly runs node-gyp rebuild whenever a binding.gyp is present — even without any declared install/postinstall script — and GYP evaluates <!(...) as a shell command during the configure step. This causes the embedded command to execute automatically on npm install . The package does not appear to ship genuine native source files matching a real native-addon build, so the binding.gyp's only practical purpose is to run the embedded shell command at install time. This is functionally identical to a malicious lifecycle hook and constitutes install-time arbitrary code execution on any machine that installs this package.
Source: amazon-inspector (97cc6912b16110de3edb6578ad95543fa4f46f38833aa907470ea957d83f50d8)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.