MAL-2026-4721

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (d174728fc7469b023ece1980797185c35abd74c56e253bc1dc1b295a46a1dbd2) package.json declares `"preinstall": "./tools/setup"`, unconditionally executing a 976KB UPX-packed, stripped Linux x86 ELF on every `npm install`. The package advertises itself as a thin pure-JS WeaveDB gRPC client (a single `weavedb.proto` and a ~150-line `index.js`) and has no native build requirement: no `binding.gyp`, no C/C++/Rust source, no documented native dependency, and no README mention of the shipped binary. Strings extracted from `tools/setup` indicate capabilities consistent with a credential-stealer / process-introspection payload: `LIBBPF_0.0` and `~PTRACE` (eBPF / ptrace primitives), `USERPROFILE` (Windows home-directory traversal), `2022-11-28` (GitHub REST API-Version header), `RSA_PKCS1_` and `Ed25519` (key handling), and `HTTP/1.1` with `POST` / `DELETE` verbs. The shape — opaque packed binary, no matching source, advertised purpose mismatch, executed at npm lifecycle, with capability strings for GitHub tokens and home-directory secrets — is the canonical generic-binary-runner-dropper. Any developer or CI system running `npm install weavedb-node-client` on Linux will execute this attacker-controlled native code with their user privileges.