MAL-2026-5825

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (7b1f4da3cb40cc2e1396230869d85bcc5a3c9267c0dc3c60dc297c08d1882230) The package's main file (index.js) is heavily obfuscated using obfuscator.io-style string-array rotation, base64 fragments, and per-byte XOR decoders (e.g. `H(a0)` with key `k=[0x70,0xa0,0x89,0x48]`) that hide strings such as 'package.json', 'node_modules', '.vscode', 'npm i --silent', 'nohup', 'cd', and 'f.js'. On require(), it collects host identifiers — os.hostname(), os.userInfo().username, os.platform(), Date.now(), process.argv[1] — and beacons them as {ts,type,hid,ss,cc} to a hardcoded C2 endpoint whose host is reassembled at runtime from obfuscated constant arrays (X/z) to evade static detection. The C2 response is used to fetch a second-stage JavaScript payload via GET '<host>/f/<R>', which is written to ~/.vscode/f.js along with a fake package.json; the package then runs `cd "<dir>" && npm i --silent` and spawns `node f.js` detached (with nohup on Linux) to persist execution. A setInterval retries the beacon on failure. The package's advertised purpose ("database-security-scanner") is a cover story — package.json has empty author/description/license and no database-scanning code exists; the entire module is the dropper. Any installer that requires this package executes attacker-supplied code fetched at runtime with no hash verification, hidden staging in ~/.vscode, and detached persistence.