ts-bn-proto @5.8.1
Vulnerability report · Last retrieved from osv.dev July 9, 2026 at 6:28 PM UTC
OSV ID
MAL-2026-6695
Ecosystem
npm
Summary
The package's index.js requires Node's child_process module and contains execSync calls that spawn bash and zsh (around lines 301 and 317). Without further trace evidence, the intent and reachability of these shell invocations cannot be confirmed — they may be benign tooling or a path to executing arbitrary commands on the installer's machine. Given the presence of shell execution primitives in the main module, manual review of index.js around the cited lines is warranted before allowing this package into a build environment.
Source: amazon-inspector (815835f44f5257a8dda47ca05ec01f05d4f4ead35850358445a644639ab00dd5)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.