npm

parket-helper @0.0.1

Vulnerability report · Last retrieved from osv.dev July 8, 2026 at 7:23 PM UTC

Malicious

OSV ID

MAL-2026-6119

Ecosystem

npm

Summary

index.js imports child_process and invokes execSync with bash and zsh shells (lines 315 and 331). Without traced reachability, it is not established whether these calls fire at install/require time, fetch external content, or process attacker-controlled input. Helper packages that shell out can be legitimate (build tooling, environment setup) or harmful (droppers, env exfiltration), and the difference depends on what those execSync calls run and when. Manual review of index.js around the cited lines is recommended to determine the trigger context and the command strings being executed.

Source: amazon-inspector (31d62a38af75a45a91e590e0cffe4f58e900fe726b4323af1e481118d146277c)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.