serverless-convention @2.0.4
Vulnerability report · Last retrieved from osv.dev June 25, 2026 at 8:41 AM UTC
OSV ID
MAL-2026-6434
Ecosystem
npm
Summary
The package ships a binding.gyp file that uses GYP command-expansion syntax (<!(...)) at line 6 in a sources/targets context. npm implicitly runs node-gyp rebuild whenever a binding.gyp is present, even without any declared install/postinstall script, and GYP evaluates <!(...) as a shell command during the configure step. This causes arbitrary code to execute on the installer's machine at install time. The package does not appear to ship legitimate native source files that would justify a binding.gyp, and the use of command expansion in a sources field is not a normal build configuration — its purpose is to run the embedded shell command, not to compile a real native addon. This is a known install-time RCE technique that bypasses the more visible package.json lifecycle hooks.
Source: amazon-inspector (c4ae22dee9d7b6010119fc50265205ee6f90bfef7ee92d3433ade23db0ead8d6)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.