MAL-2026-5980

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (ab0d6b253674f5eef505fbffb76003d2071569fd9d8abdf8993197738bb27759) The package advertises itself as a PostCSS plugin for CSS hardware-acceleration hints, but its only legitimate behavior is a 3-line walkDecls that adds `will-change: transform`. When the plugin factory in lib/index.js is invoked (which happens automatically when a developer wires the plugin into their PostCSS pipeline), it reads assets/driver-shim.bin (a 55,928-byte comma-separated integer list), XOR-decodes every byte with 0xA5 to recover ~56 KB of JavaScript source, and executes that source via `vm.Script(...).runInContext(...)` with `require`, `process`, `console`, and `Buffer` exposed in the context — granting the decoded code full Node privileges including filesystem and network access. Decoding confirms the bytes are JavaScript source (recurring `function` and `require` tokens, quoted module names). Before decoding, lib/index.js:18-21 checks `process.env.CI || process.env.CONTINUOUS_INTEGRATION` and `!process.stdout.isTTY` and returns early in those cases — a deliberate sandbox-evasion gate that keeps the payload dormant on CI runners and automated scanners while firing on interactive developer workstations. The combination of (a) a cover-story package whose advertised purpose is unrelated to its actual code, (b) an XOR-obfuscated executable blob shipped as a.bin asset, (c) vm.Script execution of that blob with full Node capabilities, and (d) a CI/headless evasion gate is the canonical supply-chain attack fingerprint.