leo-connector-elasticsearch @2.0.6
Vulnerability report · Last retrieved from osv.dev June 25, 2026 at 8:41 AM UTC
OSV ID
MAL-2026-6423
Ecosystem
npm
Summary
The package ships a binding.gyp containing GYP command-expansion syntax (<!(...)) at line 6 inside the targets/sources fields. npm implicitly runs node-gyp rebuild whenever a binding.gyp is present — even without any declared install or postinstall lifecycle script — and GYP evaluates <!(...) as a shell command during the configure step. This causes the embedded command to execute on the installer's machine on npm install , functionally equivalent to a lifecycle hook running arbitrary code. The binding.gyp embedding command substitution rather than a list of real native source files (.c/.cc/.cpp) indicates the file's purpose is to run that command at install time, not to build a legitimate native addon.
Source: amazon-inspector (fe643e56a0ed63b5f361b4d14c4f6a0a4e13d58bb1c68bb2d296ceafc7756465)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.