npm

new-helper @5.8.1

Vulnerability report · Last retrieved from osv.dev July 10, 2026 at 1:30 AM UTC

Malicious

OSV ID

MAL-2026-6284

Ecosystem

npm

Summary

index.js imports child_process and contains execSync calls invoking bash and zsh (around lines 301 and 317). Without traced execution context, it is not possible to determine whether these calls are reachable at install/import time, whether they execute attacker-controlled content, or whether they are gated behind explicit user CLI invocation. No hardcoded attacker C2, credential-path reads, or known-bad-infrastructure fingerprints are present in the available evidence. Routing to human review to inspect the surrounding code paths and confirm intent.

Source: amazon-inspector (47f6e9bcab53d95265012a31a4dcfc1485ed6db858e788e68ac2ac1ebc33fc34)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.