Affected versions of this package are vulnerable to Command Injection in the CLI, via the -c/--cmd option. The processing of commandline options in src/bin.mts calls the foregroundChild() on them, which defaults to setting shell: true. An attacker who can control the filenames being matched can execute arbitrary commands with the privileges of the user running the process by writing files with malicious names containing shell metacharacters - e.g. $(touch injected_poc).
The malicious filename must be the target of a match by the glob -c command. Such filenames would not trigger this exploit when invoking glob() or related functions via the library API.