new-solt-1 @0.0.9
Vulnerability report · Last retrieved from osv.dev July 10, 2026 at 1:30 AM UTC
OSV ID
MAL-2026-6286
Ecosystem
npm
Summary
index.js imports child_process and invokes execSync with bash and zsh shells (around lines 315 and 331). The shell-execution pattern alone is not conclusive of malicious intent — it can appear in legitimate developer tooling, build helpers, or CLI utilities — but the package name has no clear declared purpose and the shell-execution surface warrants human inspection of the actual command strings, their inputs, and the trigger context (lifecycle hook vs. explicit CLI invocation) before recommending the package to installers.
Source: amazon-inspector (51a48524931e3ec3199917bed8d48e70c07bf91f4a0322a46926b7c1d98d8b3e)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.