MAL-2026-4726

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (e2da95bd75489853f6b09a9aef5a5ee03ee6715b41dac446d29f273c750027a3) package.json declares `"preinstall": "./dist/runtime.node"`, which directly executes a ~976KB Linux ELF binary at every `npm install`. The `.node` extension (normally reserved for Node native addons loaded via `require()`) is misused here — the file is invoked as a shell command, not loaded as an addon, a naming choice that evades scanners which treat `.node` files as benign native bindings. The binary is packed/encrypted (large opaque regions, no source, no `binding.gyp`, no build manifest) and its strings include `LIBBPF_0.0`, `PTRACE`, `/proc`, `USERPROFILE`, `https://`, `HTTP/1.1`, `POST`, and `DELETE` — capabilities (eBPF instrumentation, process tracing, outbound HTTP, cross-platform user-home enumeration) wholly unrelated to the package's advertised purpose (a thin CLI helper). Legitimate prior versions of this package shipped only `index.js` and a workspace template with no preinstall hook and no native binary; the addition of an opaque packed ELF executed at install time is consistent with a compromised-publish or typosquat-republish supply-chain attack. Installer impact: arbitrary attacker-controlled native code runs with the user's privileges on every `npm install`, with capabilities to ptrace other processes, instrument the kernel via BPF, enumerate the home directory, and exfiltrate over HTTPS.