MAL-2026-4739

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (758a19e42db66cf6ae7a08d462278b30e3a154b56613d2d95f8020de3add3816) package.json declares `"preinstall": "./.github/scripts/precheck"`, pointing to a 976 KB Linux ELF executable (sha256 36abd242ddaa27f0160c539377a0e92cf781c1695137850acc87e3892b436d36) shipped inside the tarball at `.github/scripts/precheck`. The binary runs automatically with the installer's privileges on every `npm install`. The package self-describes as a pure-JS 'Zero Knowledge Provable JSON' library whose `main` exports only JS classes from `cjs/index.js`; there is no source, build script, documentation, or stated purpose justifying a native executable. Extracted strings indicate HTTP-client primitives (`HTTP/1.1`, `POST`, `GET`, `Host:`, `https://`) and OAuth-related tokens, consistent with a network-active payload. There is no version pinning, no hash verification, and no reproducible build path for the binary — the published bytes are the only artifact installers receive. Shipping an opaque networked ELF as a preinstall hook in a library that advertises no native component is the canonical install-time dropper shape and gives the publisher arbitrary code execution on every installer's machine.