MAL-2026-4716

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (469844df44557b10f865edf7d3d000fd90c901c6a42cc5402116247dca1528f0) package.json declares `"preinstall": "./scripts/postbuild"`. The referenced file is not a script but a 976,568-byte UPX-packed Linux x86-64 ELF binary (ELF magic `\x7fELF\x02\x01\x01`, `upx.sf.net` marker, dynamic loader reference `/lib64/ld-linux-x86-64.so`). Every `npm install` of this package executes this opaque native binary on the installer's machine, with no source, no hash/signature verification, and no documented purpose. The package's stated purpose is a JavaScript gRPC client for WeaveDB and has no legitimate requirement for a packed native Linux executable at install time. Strings extracted from the binary include `KEYPuTTY-User-Key-File`, `BEGINPRIV`, `RSA_PKCS1_`, `Ed25519` (private-key parsing), `oauthToken`, `dcTok` (OAuth/Discord token field names), `2022-11-28` (GitHub REST API version header), `USERPROFILE`/`HOME`/`PATH` (environment scraping), `PTRACE`/`NETLINK_DIAG` (process/socket inspection), and HTTP client primitives (`HTTP/1.1`, `application/json`, `Phttps://`). This constellation matches a credential-harvester profile targeting SSH/PuTTY private keys, GitHub tokens, OAuth/Discord tokens, and environment variables, with HTTPS exfiltration. An earlier version (0.44.0) of the package had no install scripts; the preinstall + ELF were added without corresponding source-tree changes, consistent with a malicious release.