local-ip-helper @0.1.0
Vulnerability report · Last retrieved from osv.dev July 10, 2026 at 1:30 AM UTC
OSV ID
MAL-2026-6282
Ecosystem
npm
Summary
index.js imports child_process and calls execSync with bash and zsh (lines 301 and 317). Without further context, it is unclear whether these invocations are part of a benign helper that resolves the local IP address by querying shell utilities, or whether they execute attacker-influenced content. No hardcoded external network destinations, credential reads, or install-time lifecycle hooks were observed. Recommend human review of the exact commands passed to bash/zsh and of how the package is invoked (library import vs. CLI) before allowing or blocking.
Source: amazon-inspector (5741cea5f57c51246c2944fda4ecf601f191b482e5c6effa22b640f8701a00e8)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.