npm

new-solt @0.0.9

Vulnerability report · Last retrieved from osv.dev July 10, 2026 at 1:30 AM UTC

Malicious

OSV ID

MAL-2026-6285

Ecosystem

npm

Summary

Package new-solt@0.0.8 contains index.js which imports child_process and invokes execSync with bash and zsh shell strings (around lines 315 and 331). Without further code-flow tracing it cannot be determined whether these shell calls are tied to install-time or import-time side effects, whether they execute attacker-controlled or fetched content, or whether they form part of a documented user-facing CLI. The pattern alone (child_process + shell execution) is consistent with both legitimate tooling and exfiltration/dropper behavior, so a human reviewer should examine the full execution path before installing or recommending this package.

Source: amazon-inspector (d5a46a9516de2c87a2d451b78ace7033fb9dffa9faa4216b84eb068136098cfa)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.