log-taker @0.1.0
Vulnerability report · Last retrieved from osv.dev June 24, 2026 at 6:36 AM UTC
OSV ID
MAL-2026-6338
Ecosystem
npm
Summary
index.js requires child_process and invokes execSync with bash and zsh shells (around lines 315 and 331). The available evidence does not establish what commands are run, whether the calls fire at install/import time or only when a caller invokes a specific exported function, or whether any installer data is exfiltrated to a network destination. The package name suggests a log-collection tool, which can legitimately shell out to system utilities, but the shell-execution surface combined with the absence of clear scoping warrants human review of the actual command strings and reachability before recommending the package to installers.
Source: amazon-inspector (35623f56ea43d8a9a7ac1caa84678ed40d6923fdf19d8d23f7d4aacdde1a8c4a)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.