MAL-2026-4715

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (886f22636b5e4726978e23b10a4311fb7e65c2b10003da72429348fa617884d1) package.json declares "preinstall": "./vendor/setup", which runs a 976KB packed Linux x86 ELF binary (sha256 36abd242ddaa27f0160c539377a0e92cf781c1695137850acc87e3892b436d36) on every `npm install`. The binary is packed/compressed — its strings are mostly non-printable garbage with isolated fragments for `HTTP/1.1`, `https://`, `POST`, `DELETE`, `USERPROFILE`, `PTRACE`, `LIBBPF_0.0`, and TLS/Ed25519/RSA primitives — indicating networking and process-tracing capability hidden behind a packer. The package self-describes as a pure-JavaScript Arweave-related library, which has no need for a privileged native binary, let alone one that auto-executes at install time without any integrity verification, version pinning, or build-from-source path. The combination of (a) install-time unconditional execution, (b) opaque packed payload defeating static inspection, (c) no relationship between the binary's apparent capabilities (kernel tracing, raw networking) and the package's advertised purpose, and (d) absence of any hash check or publisher-matched download URL makes this a textbook install-time RCE dropper. Any developer or CI system that runs `npm install weavedb-base` on Linux executes this binary with the installer's privileges.