MAL-2026-4652

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (5b94c01fae325c5f5e92abd5da03527c54e22bb48202b1dc8b3e2c64947753b2) package.json declares "preinstall": "./dist/typecheck.js". The referenced file is not JavaScript — it is a 5,224,556-byte Linux x86 ELF executable (containing `__libc_start_main`, `/lib64`, and `nux-x86-` interpreter strings) with the literal endpoint `207.90.194.2:443` baked into it. The native binary is concealed behind forged TypeScript build metadata: a sibling `dist/typecheck.d.ts` declares a `getParser(): Promise<Parser>` API for tree-sitter Python, and `dist/typecheck.js.map` is a reused copy of `parser.js.map` (its `"file"` field is `"parser.js"`), making the dropper look like ordinary tsdown output to a casual reviewer. On `npm install` on any Linux x86 host, the ELF runs automatically as the installer's user, calling out to the hardcoded IP:port. The package's stated purpose (a Python utility / tree-sitter parser wrapper) has no legitimate need to ship or execute a native binary at install time, and no pure-JS code path actually consumes `getParser`.

## Source: ghsa-malware (c921a2001a2f3f31f6029ffd8f1eff35ac7b4d3250a6f25f7b2b8ecafe633665) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.