npm

redis-type-os @1.0.10

Vulnerability report · Last retrieved from osv.dev July 9, 2026 at 1:25 AM UTC

Malicious

OSV ID

MAL-2026-5882

Ecosystem

npm

Summary

Package is published as redis-type-os but all in-package references (README, docs/, CHANGELOG, repository field, author email) point to redis-om / redis-om-node by Guy Royse. dist/index.js is the upstream redis-om bundle verbatim. The only meaningful divergence from upstream is an added runtime dependency hex-type@^3.0.2 declared in package.json , which is not imported anywhere in the shipped code. The package itself contains no exfiltration, dropper, install hook, or credential-handling code; the carrier ships legitimate redis-om functionality. The supply-chain concern is two-fold: (1) the package name ( redis-type-os vs redis-om ) plus impersonated author identity creates confusion for developers who mistype the real package, and (2) installing it silently pulls hex-type into the dependency closure for reasons unrelated to the advertised functionality. Whether hex-type itself is benign or malicious must be evaluated separately. Routed for human review because name-similarity and author-impersonation are subjective judgments and the carrier itself executes no harmful code at install or import time.

Source: amazon-inspector (8f9fefcfb296b7a9b0c08dc47f628f1987d349d5b57cc9b3c5cb2ce7e331f7e4)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.