node-path-addon @1.0.8
Vulnerability report · Last retrieved from osv.dev July 14, 2026 at 5:45 AM UTC
OSV ID
MAL-2026-10463
Ecosystem
npm
Summary
node-path-addon presents itself as an extension of the Node.js built-in 'path' module. Its main entry (path.js) delegates by executing require('path-addon-extend') at module load, and package.json declares that dependency at wildcard version '*', so importing node-path-addon unconditionally resolves and executes the latest published version of path-addon-extend — whose contents are controlled by whoever owns that separate npm name. The shim also imports the 'https' module without using it, and the README instructs users to run 'npm install --save path-addon' rather than the actual published name 'node-path-addon', a naming mismatch consistent with typosquat lure behavior. The package itself contains no direct exfiltration or shell execution, but the wildcard-pinned require on import is a loader that grants an external, mutable dependency arbitrary code execution in the consumer's process on every install and require.
Source: amazon-inspector (5dbc52a88818bccd5602eb556ea4bf089dac66c44a2bb1ecbd6fddd6723e9d1d)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.