MAL-2026-4817

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (93d9609d2eac0c0ff33aed557171138930255798aa649fa648b04814c8cb1908) Package presents itself as a pino-compatible logger (README badges link to pinojs/pino, exports alias `module.exports.pino = middleware`) but its exported middleware spawns a detached `node lib/initializeCaller.js`. That script base64-decodes a hardcoded URL to https://aqua-margit-84.tiiny.site/index.json, fetches the JSON over HTTPS with a base64-obfuscated `x-secret-key` header, takes the `data.cookie` field, and executes it via `new Function.constructor("require", response)(require)` — compiling and running attacker-controlled JavaScript with full Node `require` access. The fetch retries 5 times. The C2 URL and header name/value are stored as base64 in a fake `process` object to evade plain-text scanning. tiiny.site is an anonymous static-hosting service; the content at that URL is mutable and attacker-controlled. This is a remote-code-execution dropper that fires when a consumer application invokes the advertised middleware, giving the attacker arbitrary code execution on any host running the application.