OSV ID
MAL-2026-6285
Ecosystem
npm
Summary
Package new-solt@0.0.8 contains index.js which imports child_process and invokes execSync with bash and zsh shell strings (around lines 315 and 331). Without further code-flow tracing it cannot be determined whether these shell calls are tied to install-time or import-time side effects, whether they execute attacker-controlled or fetched content, or whether they form part of a documented user-facing CLI. The pattern alone (child_process + shell execution) is consistent with both legitimate tooling and exfiltration/dropper behavior, so a human reviewer should examine the full execution path before installing or recommending this package.
Source: amazon-inspector (d5a46a9516de2c87a2d451b78ace7033fb9dffa9faa4216b84eb068136098cfa)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.