OSV ID
MAL-2026-6430
Ecosystem
npm
Summary
The package contains a binding.gyp at the repo root whose contents use GYP command-expansion syntax ( <!(...) ) inside its targets/sources configuration. npm implicitly invokes node-gyp rebuild whenever a binding.gyp is present — even without any declared install/postinstall script — and node-gyp/GYP evaluates <!(...) expressions as shell commands during the configure step. This means arbitrary code embedded in the binding.gyp's command-expansion expression runs on every npm install of leo-sdk, on the installer's machine, with the installer's privileges. The mechanism is functionally identical to a postinstall lifecycle hook but is easy to miss because no scripts entry advertises it. This is a known install-time RCE pattern (CWE-506); the binding.gyp file's only effective purpose under this shape is to execute its embedded shell command at install, not to build a real native addon.
Source: amazon-inspector (1919bbc80005a637a3e1161a28245bbe56baecb5a0d17e282cc5c2339e20b8d8)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.