MAL-2026-5935

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (0144b9ea6743e481e49885f6375a8aa990e9a20bfc5da1148b7df59a9370736c) The published entrypoints dist/index.cjs and dist/runtime.cjs contain an injected IIFE that assigns `global.r = require` and `global.m = module`, tags the host with campaign id 'A6-Orion-271', uses a string-shuffle helper to reconstruct the identifier 'constructor', then invokes Function() on a deshuffled obfuscated blob and immediately calls the resulting function. Any consumer that does `require('tw-theme-kit')` or `import 'tw-theme-kit/runtime'` triggers attacker-controlled code at load time with full Node capabilities (fs, child_process, net) exposed via the globals. This behavior is unrelated to the package's stated purpose (a Tailwind theme plugin) and matches the fingerprint of the 'Orion' obfuscated-loader campaign. The.mjs builds and source-maps embed the same obfuscated literal, so no entrypoint is safe.