MAL-2026-4713

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (3ddd306d024c4dd394d19c1adb610389f239fa619d25fff4f75b857a678da0ee) package.json declares `"preinstall": "./vendor/setup"`, which on every `npm install` invokes a 976568-byte Linux x86 ELF binary shipped inside the package tarball (sha256 36abd242…6d36). The binary has no accompanying source, no `binding.gyp`, no build step, and is not documented anywhere in the package. Strings inside the ELF reveal capabilities (`LIBBPF_0.0`, `PTRACE`, `NETLINK`, `HTTP/1.1`, `https://`, RSA crypto) that have no plausible relationship to a database CLI's installation. The installer cannot inspect the bytes before they execute, the binary is not hash-verified, and it is not pulled from a publisher-matching, version-pinned release. Any developer or CI environment running `npm install wdb-cli` therefore executes opaque, attacker-controllable native code with the invoking user's privileges, with eBPF/ptrace primitives that enable kernel-level observation and process tampering, and with built-in HTTPS capability for outbound exfiltration or C2. A separate file (`workspace/.wallet.json`) ships a full RSA private key, but that appears to be author self-harm (the author's own dev wallet copied into user-created project scaffolds via an explicit CLI subcommand) and is not the basis for this verdict.