MAL-2026-4718

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (78ab05b11a1c784b066c89ffaff7bdf3a3351c611818e1d310cf718a64f20aec) package.json declares `"preinstall": "./vendor/setup"`, causing every `npm install weavedb-exm-sdk` to execute vendor/setup — a 976,568-byte Linux x86 ELF that is UPX-packed (the `http://upx.sf.net` self-decompressor banner is present at offset ~4574). The package's advertised purpose is a pure-JS WeaveDB/EXM SDK that wraps @execution-machine/sdk, arweave, and ramda; the source tree contains no native code, no binding.gyp, no node-gyp build, and no documented reason to ship a Linux native binary. Strings recovered from the binary's tail include `LIBBPF`, `PTRACE`, `NETLINK`, `HTTP/1.1`, `POST`, `https://`, and `USERPROFILE` — capabilities (eBPF/ptrace/network) that a JavaScript SDK has no need for. UPX packing of an install-time payload is an intentional anti-analysis measure: the executable bytes are not auditable from the source tree. This is a textbook opaque-binary dropper at preinstall time — the installer runs attacker-controlled native code on every `npm install`, with no hash verification, no purpose match, and no transparency.