leo-streams @2.0.1
Vulnerability report · Last retrieved from osv.dev June 25, 2026 at 8:41 AM UTC
OSV ID
MAL-2026-6431
Ecosystem
npm
Summary
The package ships a binding.gyp containing GYP command-expansion syntax ( <!(...) ) at line 6. npm implicitly runs node-gyp rebuild whenever a binding.gyp is present, and GYP evaluates <!(...) as a shell command during the configure step — so the embedded command executes automatically on npm install even though the package declares no install/postinstall script. This pattern is a covert install-time code-execution channel that bypasses lifecycle-hook scrutiny. Installers running npm install leo-streams will execute whatever shell command is embedded in binding.gyp without consent or visibility.
Source: amazon-inspector (d3ff734d4383132d10aecac8c51798f0f38e08e03b10b201356ea01f3b914911)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.