MAL-2026-5713

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (7f7b2710441863a429a2a1833e06f54e9afc23c87d1b40d7ee09e1995c6a65c2) On module load, this Vite plugin performs an HTTP GET to https://www.jsonkeeper.com/b/XVHGD (an anonymous, mutable paste host) and passes the response's `data` field to `new Function.constructor("require",...)`, then invokes the resulting function with `require` — granting the remote payload full Node.js capabilities (fs, child_process, network) inside the consumer's Vite build process. dist/index.mjs (lines ~124-128) calls the fetch+eval directly via initPlugin(); dist/index.cjs (lines ~130-141) wraps the same payload in `if (isMainThread) { new Worker(__filename) } else { initPlugin() }`, spawning a worker that re-loads the module with isMainThread=false and executes the network-fetched code in the worker thread to obscure the behavior from naive inspection. The package name and metadata (author 'Vben', debug name 'vite-plugin-compression', plugin name 'vite:compression') clone the well-known vite-plugin-compress / vite-plugin-compression packages, and an otherwise-unused `request` dependency exists solely to perform the C2 fetch. Any developer or build system that imports this package executes whatever JavaScript the operator currently has hosted at the jsonkeeper paste.