leo-connector-mysql @3.0.3
Vulnerability report · Last retrieved from osv.dev June 25, 2026 at 8:41 AM UTC
OSV ID
MAL-2026-6425
Ecosystem
npm
Summary
The package ships a binding.gyp file containing GYP command-expansion syntax ( <!(...) ) at line 6. npm implicitly runs node-gyp rebuild whenever a binding.gyp is present — even without any declared install/postinstall script — and GYP evaluates <!(...) expressions as shell commands during the configure step. This causes the embedded command to execute automatically on every npm install , functionally identical to a lifecycle hook. Any installer or build system that pulls this package will run the expanded command with the privileges of the installing user.
Source: amazon-inspector (cc20d78464a78cbe988dbbbc2fe10cd4207311a8ff43ee7c5a0411e68e81bb57)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.