npm

parket-flow @3.0.1

Vulnerability report · Last retrieved from osv.dev July 10, 2026 at 1:30 AM UTC

Malicious

OSV ID

MAL-2026-6334

Ecosystem

npm

Summary

index.js imports child_process and invokes execSync with bash and zsh shells (index.js line 1, 301, 317). Without traced execution context it is not possible to determine whether these shell invocations are part of legitimate tool functionality or whether they fetch and execute attacker-controlled content. No corroborating evidence of exfiltration, credential access, network beacons, or attacker-controlled endpoints is present in what was inspected. Recommend human review of the shell command construction and any inputs they consume before allowing or blocking.

Source: amazon-inspector (8e9b185a1b54e41a8fb900a67aab43dbb78abc4fea96e9ca05d356f6864e3bdd)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.