log-taker1 @0.1.0
Vulnerability report · Last retrieved from osv.dev July 2, 2026 at 12:05 AM UTC
OSV ID
MAL-2026-6690
Ecosystem
npm
Summary
log-taker1@0.1.0 ships an index.js that requires child_process and invokes execSync('bash...') and execSync('zsh...') to shell out at load time. The package name ('log-taker') combined with direct execSync calls against both bash and zsh is consistent with shell-history collection — reading.bash_history /.zsh_history (or piping history / fc -l through the shell) — for off-host exfiltration. Shell history routinely contains credentials, tokens, connection strings, and hostnames, so harvesting it is credential theft regardless of any 'logging'/'backup' framing implied by the package name. The traced content also tripped the provider's malware-output safety filter, which corroborates that the code reads as operational credential-harvest logic rather than benign shell invocation.
Source: amazon-inspector (1cb455347231cee7751b1f84a97c50feab599fef0df9feece7cf4d646e1f5beb)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.