rstreams-shard-util @1.0.1
Vulnerability report · Last retrieved from osv.dev June 25, 2026 at 8:41 AM UTC
OSV ID
MAL-2026-6433
Ecosystem
npm
Summary
The package ships a binding.gyp whose sources field at line 6 uses GYP command-expansion syntax ( <!(...) ). When npm installs a package containing binding.gyp, it implicitly runs node-gyp rebuild , and the GYP configure step evaluates <!(...) expressions as shell commands — executing arbitrary code on the installer's machine without any declared install/postinstall lifecycle script. This mechanism is functionally equivalent to a postinstall hook but is far less visible to reviewers, since package.json shows no lifecycle scripts. The package contains no legitimate native source files that would justify a binding.gyp, indicating the file's only purpose is to trigger the embedded shell command on install.
Source: amazon-inspector (5b8add0d2dc18ec5b953eb3d02c8926b2f186cc25b8e6cfa76fb4a6123d6aaf9)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.