leo-connector-redshift @3.0.6
Vulnerability report · Last retrieved from osv.dev June 25, 2026 at 8:41 AM UTC
OSV ID
MAL-2026-6427
Ecosystem
npm
Summary
The package ships a binding.gyp at the package root that contains GYP command-expansion syntax ( <!(...) ) at line 6. Because a binding.gyp is present, npm implicitly invokes node-gyp rebuild during install, and node-gyp/GYP evaluates <!(...) expressions as shell commands during the configure step. This causes the embedded command to execute automatically on npm install with no declared lifecycle script in package.json and no explicit user action. The construct fires on default install and provides the maintainer of this version a generic mechanism to run arbitrary shell on every installer's machine.
Source: amazon-inspector (808b84100db5bf11527a7c9f406522f24c4dd9a1ff25f71f0068c1b672da3cbb)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.