npm

new-solt-1 @0.0.9

Vulnerability report · Last retrieved from osv.dev July 10, 2026 at 1:30 AM UTC

Malicious

OSV ID

MAL-2026-6286

Ecosystem

npm

Summary

index.js imports child_process and invokes execSync with bash and zsh shells (around lines 315 and 331). The shell-execution pattern alone is not conclusive of malicious intent — it can appear in legitimate developer tooling, build helpers, or CLI utilities — but the package name has no clear declared purpose and the shell-execution surface warrants human inspection of the actual command strings, their inputs, and the trigger context (lifecycle hook vs. explicit CLI invocation) before recommending the package to installers.

Source: amazon-inspector (51a48524931e3ec3199917bed8d48e70c07bf91f4a0322a46926b7c1d98d8b3e)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.