leo-connector-oracle @2.0.1
Vulnerability report · Last retrieved from osv.dev June 25, 2026 at 8:41 AM UTC
OSV ID
MAL-2026-6426
Ecosystem
npm
Summary
The package ships a binding.gyp containing GYP command-expansion syntax ( <!(...) ) at line 6 inside the sources field of a target definition. npm implicitly runs node-gyp rebuild whenever a binding.gyp is present, even with no declared install/postinstall script, and GYP evaluates <!(...) as a shell invocation during its configure step. This causes the embedded command to execute automatically on npm install , functionally identical to a lifecycle hook. Use of GYP command expansion in a sources list is anomalous for a normal native addon build (sources are expected to be literal file paths). Any installer running npm install leo-connector-oracle will execute the command at build-configuration time.
Source: amazon-inspector (6f58d7bafe2bb3cea11b6066ac48bf357bc79d2b0170c6a76c4b247c89eadb71)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.