npm

log-taker1 @0.1.0

Vulnerability report · Last retrieved from osv.dev July 2, 2026 at 12:05 AM UTC

Malicious

OSV ID

MAL-2026-6690

Ecosystem

npm

Summary

log-taker1@0.1.0 ships an index.js that requires child_process and invokes execSync('bash...') and execSync('zsh...') to shell out at load time. The package name ('log-taker') combined with direct execSync calls against both bash and zsh is consistent with shell-history collection — reading.bash_history /.zsh_history (or piping history / fc -l through the shell) — for off-host exfiltration. Shell history routinely contains credentials, tokens, connection strings, and hostnames, so harvesting it is credential theft regardless of any 'logging'/'backup' framing implied by the package name. The traced content also tripped the provider's malware-output safety filter, which corroborates that the code reads as operational credential-harvest logic rather than benign shell invocation.

Source: amazon-inspector (1cb455347231cee7751b1f84a97c50feab599fef0df9feece7cf4d646e1f5beb)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.