MAL-2026-4722

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (d267c34e35dca7091a9ab01d22a9c0a4cfde364531b8017f15f4a09785381198) package.json declares `scripts.preinstall: "./.github/scripts/precheck"`, where `precheck` is a 976,568-byte stripped Linux ELF binary (sha256 36abd242ddaa27f0160c539377a0e92cf781c1695137850acc87e3892b436d36) hidden under a CI-config-looking `.github/scripts/` directory. The package advertises itself as a pure-JavaScript Arweave/WeaveDB database wrapper (index.js exports class OffChain); it ships no native source, no binding.gyp, and prior versions had no preinstall hook. The ELF's strings reveal a multi-platform implant capability set with no connection to the package's stated purpose: `LIBBPF_0.0` (eBPF kernel hooking), `PTRACE` (process tracing / anti-debug), `NETLINK` and `_BY_FAMILY` (raw socket / connection enumeration), an HTTP/1.1 client with `POST`/`DELETE` methods, GitHub REST API version header `2022-11-28`, modern TLS/crypto primitives (Ed25519, X448, MLKEM, RSA_PKCS1), and a Windows `USERPROFILE` environment probe. On `npm install`, this binary executes unconditionally with the installer's privileges before any user code runs — the canonical install-time-RCE binary-dropper pattern. Any developer or CI runner that installs this version should be considered compromised.