serverless-leo @3.0.14
Vulnerability report · Last retrieved from osv.dev June 25, 2026 at 8:41 AM UTC
OSV ID
MAL-2026-6435
Ecosystem
npm
Summary
The package ships a binding.gyp file containing GYP command-expansion syntax ( <!(...) ) at line 6, in a context (sources/targets) that GYP evaluates as a shell command during the configure step. npm implicitly runs node-gyp rebuild whenever a binding.gyp is present, even without any declared install/postinstall script — so the embedded command executes automatically on npm install . This is functionally equivalent to a lifecycle hook running attacker-controlled shell at install time. The presence of binding.gyp in a package whose primary purpose is not a native C/C++ addon, combined with command-expansion being used in the build-config itself, indicates the file's purpose is to execute the embedded command rather than to build a real native module.
Source: amazon-inspector (2b6c1bed6103f7e34a22e317c3d0b51619597e14c9dbcad215ff03c257de835c)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.