prism-silq @1.0.1
Vulnerability report · Last retrieved from osv.dev June 26, 2026 at 2:46 AM UTC
OSV ID
MAL-2026-6493
Ecosystem
npm
Summary
The package ships a binding.gyp whose sources field uses GYP command-expansion syntax (<!(...)) at line 6. npm implicitly runs node-gyp rebuild whenever a binding.gyp is present, even without a declared install/postinstall script, and GYP evaluates <!(...) as a shell command during the configure step. This causes the embedded command to run automatically on every npm install, equivalent to a lifecycle hook executing attacker-controlled code on the installer's machine. This pattern abuses the native-addon build system to gain silent install-time code execution, and is not a legitimate native-extension build configuration.
Source: amazon-inspector (6bb3e8b0ded57991e21f137aac7c905348a83f6be7914c4da619c18d2acd280c)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.