leo-connector-mongo @3.0.8
Vulnerability report · Last retrieved from osv.dev June 25, 2026 at 8:41 AM UTC
OSV ID
MAL-2026-6424
Ecosystem
npm
Summary
The package ships a binding.gyp at the root that uses GYP command-expansion syntax ( <!(...) ) at line 6 within the targets/sources fields. npm implicitly runs node-gyp rebuild whenever a binding.gyp is present — even when no install/postinstall script is declared — and node-gyp's configure step evaluates <!(...) as a shell command. This results in arbitrary command execution on the installer's machine during a default npm install , functionally equivalent to a malicious lifecycle hook. The command embedded in the GYP expansion runs with the installing user's privileges on every install of this version.
Source: amazon-inspector (dc9ecc7f6488cb4c941a9184df1b6cf93ff87dc98f904d7b2b45025bd88f143a)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.