MAL-2026-6085

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (42e9bbd7a5cb25d0863ef140b42a7ab2abec1e921e18669eef3f07a91c3d6d99) @hotcappuccino/nodepull@1.0.0 ships a single `index.js` (the package's declared `main`) that is wrapped in an obfuscator.io string-array + RC4-encrypted-string scheme. At top level — fires on every `require('@hotcappuccino/nodepull')` — the module loads `child_process`, `fs`, `os`, `path`, and an HTTP client; reconstructs a dotted URL through repeated `''.repeat(N,'.')` concatenations of RC4-decrypted fragments; performs `httpClient.get(URL + path)`; writes the response body to `path.join(os.tmpdir(), <filename>)` via `fs.writeFileSync(..., {flag:'w+'})`; and immediately invokes `child_process.spawn(filePath, args, {windowsHide: true, cwd: os.tmpdir()})`. The 249-entry rotated string array is decoded by `b`/`c` using base64 + RC4 keyed by index 0, hiding the URL, spawned command, and required module names from inspection. There is no legitimate purpose served by RC4-encrypting every string (including module names) in a package whose only behavior is to fetch and execute a remote binary at import time. Any installer that requires this package executes attacker-controlled bytes from a hidden remote endpoint as a child process with the console window suppressed.