MAL-2026-5799

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (f9d5c1524281430272215f48a90b957cf08f76dcb9954cb73945421dff358eb2) package.json declares `preinstall: node install.js`, which fires automatically on `npm install`. install.js is heavily obfuscated (obfuscator.io string-array shuffle with `_0xNNNN` identifiers and split-string concatenation) to hide its behavior. After deobfuscation, the script downloads `https://www.pooron.org/ice.exe` into the OS temp directory as `tester_<randomhex>.exe`, chmods it 755, and spawn-detaches it via `spawn(PAYLOAD_PATH, [], {detached:true, stdio:'ignore', windowsHide:true}).unref()` — using a cmd-style invocation on Windows and direct exec on macOS/Linux. A console message `[boardstep] Optional dependency initialized.` is printed as a cover story (note that `boardstep` does not match the package name `boardflow`). The payload domain `pooron.org` is not the package's publisher, the URL is mutable and unpinned, no hash or signature check is performed, and the binary is opaque. Supporting indicators of disposability: README is 0 bytes, `dependencies` declares a self-reference (`boardflow: ^1.1.8`), and the package's stated kanban purpose has no implementing code. This is a textbook install-time dropper: any developer or build system running `npm install boardflow` immediately executes attacker-controlled code with the installer's privileges.