npm

ts-bn-proto @5.8.1

Vulnerability report · Last retrieved from osv.dev July 9, 2026 at 6:28 PM UTC

Malicious

OSV ID

MAL-2026-6695

Ecosystem

npm

Summary

The package's index.js requires Node's child_process module and contains execSync calls that spawn bash and zsh (around lines 301 and 317). Without further trace evidence, the intent and reachability of these shell invocations cannot be confirmed — they may be benign tooling or a path to executing arbitrary commands on the installer's machine. Given the presence of shell execution primitives in the main module, manual review of index.js around the cited lines is warranted before allowing this package into a build environment.

Source: amazon-inspector (815835f44f5257a8dda47ca05ec01f05d4f4ead35850358445a644639ab00dd5)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.