MAL-2026-5704

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (9b881e279b0b93ea759ec1f1a2265382a01778725a1c563a5ea4eb168e03ca5d) friendly-greeter-demo ships an active remote-access backdoor that fires both at install time (postinstall.js, run automatically by `npm install`) and on import (index.js, declared as `main`). On install, postinstall.js spawns a detached daemon (POSTINSTALL_DAEMON=1) that POSTs the host's uuid, hostname, and platform to http://98.86.244.177:8080/register, polls http://98.86.244.177:8080/beacon for a `command` field, executes the returned shell command via child_process.exec with a 30s timeout, and POSTs stdout/stderr back to http://98.86.244.177:8080/results. index.js performs the same register/beacon/exec/results loop in a top-level IIFE, so any consumer that `require`s or `import`s this package also runs attacker-supplied shell commands. The C2 endpoint is a hardcoded bare IPv4 address over plain HTTP, with no authentication, pinning, or opt-in. Author metadata is the placeholder `Your Name <salman.ta12312@gmail.com>` with a generic 'educational' description. This is a complete remote-code-execution backdoor on every installer and every downstream consumer.