---

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (92ebe5ca10c51471256249507d8c7b142996cc72d7472a7a55c08fe6351876f9)

run.js invokes execSync("curl -LsSf https://astral.sh/uv/install.sh | sh"), fetching and executing a remote shell script from astral.sh without integrity verification. While astral.sh is the legitimate publisher of the uv Python package manager, piping a remote script directly into sh from within an npm package is an install-time-RCE pattern: the fetched content is mutable, unpinned, and runs with the user's privileges, modifying the user's environment (typically writing to ~/.local/bin, ~/.cargo/, and shell RC files) as a side effect of using this package. Any compromise of the install.sh endpoint or DNS for astral.sh would yield arbitrary code execution on every machine running this package. The package does not verify a hash or signature, does not pin a version of uv, and does not gate the install behind explicit user consent.