MAL-2026-5912

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (52847ff329757e0777e62c1c060455abc4ddd6f002c295a7f38d0e0489daf76f) Package impersonates crypto-js: name is `js-digest` but `package.json` carries crypto-js's exact description ("JavaScript library of cryptography standards."), homepage `http://github.com/brix/js-digest` (brix is the crypto-js org), and author "Evan Vosberg" (the crypto-js maintainer). `package.json` declares `"preinstall": "./lib/install-deps.mjs"`, but `lib/install-deps.mjs` is not JavaScript — it is a 3.2 MB Linux x86_64 ELF binary (magic `7F 45 4C 46`, sha256 `7883bda1ff15425f2dbe622c45a3ae105ddfa6175009bbf0b0cad9bf5c79b316`). On `npm install`, npm's preinstall hook executes this native binary with the installer's privileges before any code is reviewed. Strings extracted from the binary show a multi-platform credential harvester: HTTP requests scraping GitHub (`GET /user`, `/user/repos` with `Authorization: Bearer...`), Slack (`POST /api/auth.test` with `Cookie: d=`), Discord, Microsoft Teams (`/api/mt/*`), and HashiCorp Vault (`X-Vault-Token`, `/v1/...`); reads of `/.vault-token`, `/.vault/token`, `gpg --batch --no-tty --list-keys`, and `/proc/<pid>/{mem,cmdline,environ}`; and multipart POST uploads to remote endpoints. The binary also embeds systemd unit templates (`[Unit]/[Service]/ExecStart=.../Restart=always`) for both system (`/etc/systemd/system/`) and user (`~/.config/systemd/user/`) scopes for persistence, plus libbpf rootkit primitives (`bpf_object__open_mem`, `bpf_map__pin`, `bpf_program__attach`, maps `hidden_pids`/`hidden_inodes`/`hidden_names`, `/sys/fs/bpf/`) for kernel-level concealment from `ps`/`ls`/`lsof`. Installing this package compromises the host with a persistent, hidden credential stealer.