OSV ID
MAL-2026-6428
Ecosystem
npm
Summary
binding.gyp at line 6 contains GYP command-expansion syntax (<!(...) / <!@(...) / <@(...)) inside the targets/sources fields. npm implicitly invokes node-gyp rebuild whenever a package contains a binding.gyp, and GYP evaluates command-expansion expressions as shell during the configure step — so the embedded command runs automatically on every npm install of this package, even though package.json declares no install/postinstall script. This is functionally equivalent to a lifecycle hook and executes attacker-chosen code on the installer's machine. The package has no apparent legitimate need for a native addon build via binding.gyp, indicating the file's only purpose is to fire the embedded shell command at install.
Source: amazon-inspector (52a0b87288e27f81313e89ac69303ce3aa2dd80fde26ce278bed22c8a524ab98)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.