MAL-2026-6492

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (62f045b55721408d94a92f5d65b58d69c98d3dc29d5f4f9327fb8edb4f85eaad) The package ships a binding.gyp whose sources field uses GYP command-expansion syntax (<!(...)) at line 6. npm implicitly runs node-gyp rebuild whenever a binding.gyp is present (even with no declared install/postinstall script), and GYP evaluates <!(...) as a shell invocation during the configure step. This means simply running `npm install hexo-shoka-swiper` causes the embedded shell command to execute on the installer's machine. The package's nominal purpose is a Hexo theme Swiper integration — a pure JavaScript front-end concern with no legitimate need to build a native addon or to evaluate shell at install. The binding.gyp here functions as a lifecycle-hook substitute for arbitrary install-time code execution rather than as a real native-build description.