parket-helper @0.0.1
Vulnerability report · Last retrieved from osv.dev July 8, 2026 at 7:23 PM UTC
OSV ID
MAL-2026-6119
Ecosystem
npm
Summary
index.js imports child_process and invokes execSync with bash and zsh shells (lines 315 and 331). Without traced reachability, it is not established whether these calls fire at install/require time, fetch external content, or process attacker-controlled input. Helper packages that shell out can be legitimate (build tooling, environment setup) or harmful (droppers, env exfiltration), and the difference depends on what those execSync calls run and when. Manual review of index.js around the cited lines is recommended to determine the trigger context and the command strings being executed.
Source: amazon-inspector (31d62a38af75a45a91e590e0cffe4f58e900fe726b4323af1e481118d146277c)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.