MAL-2026-4714

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (05323f987b64131618be124040867a2acb216aef96952a6a3dfc11c615501500) package.json declares `"preinstall": "./dist/runtime.node"`, causing npm to spawn the shipped file as an executable on every install on Linux. Despite the `.node` extension (which would normally indicate a Node-API addon loaded via `require()`), the file is a 976KB stripped/packed ELF binary, not a native addon — Node addons are never spawned as processes. The binary contains strings indicating network I/O (HTTP/1.1, POST, https://), host enumeration (USERPROFILE, /lib64, linux-x86), kernel/eBPF and ptrace primitives (LIBBPF_0.0, PTRACE), and modern crypto (RSA/Ed25519/X448/MLKEM), with packed/obfuscated fragments. The package ships no source, no binding.gyp, no node-gyp/prebuild-install/node-pre-gyp scaffolding, no checksum, and no version-pinned publisher-hosted release URL — none of the legitimate native-addon shape. The `.node` filename is a deliberate disguise to make the executable look like a benign addon. Any developer or CI system running `npm install wdb-sdk` on Linux executes this attacker-controlled binary with the installer's privileges.