OSV ID
MAL-2026-6436
Ecosystem
npm
Summary
The package ships a binding.gyp at the package root containing GYP command-expansion syntax ( <!(...) ) at line 6 within the targets/sources block. npm implicitly invokes node-gyp rebuild whenever a binding.gyp is present — even with no declared install/postinstall script — and GYP evaluates <!(...) expressions as shell during its configure step. This causes the embedded command to execute on the installer's machine as a side effect of npm install , functionally equivalent to a lifecycle hook. The package does not ship native source files that would justify a real node-gyp build, so the binding.gyp's only purpose is to run the embedded command at install time. The mechanism delivers attacker-controlled code execution on any machine that installs this package.
Source: amazon-inspector (964dd343632ca7e543b0f74dc917ea0cab82fb36cee143057b6d658ce42d9525)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.