npm

local-ip-helper @0.1.0

Vulnerability report · Last retrieved from osv.dev July 10, 2026 at 1:30 AM UTC

Malicious

OSV ID

MAL-2026-6282

Ecosystem

npm

Summary

index.js imports child_process and calls execSync with bash and zsh (lines 301 and 317). Without further context, it is unclear whether these invocations are part of a benign helper that resolves the local IP address by querying shell utilities, or whether they execute attacker-influenced content. No hardcoded external network destinations, credential reads, or install-time lifecycle hooks were observed. Recommend human review of the exact commands passed to bash/zsh and of how the package is invoked (library import vs. CLI) before allowing or blocking.

Source: amazon-inspector (5741cea5f57c51246c2944fda4ecf601f191b482e5c6effa22b640f8701a00e8)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.