MAL-2026-6096

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (cfd9564690d64c44a730b088f4295c75b36e9d2fb164e2c7aa9ec2367153ada6) The package masquerades as a typosquat of the legacy `request`/`requests` HTTP library, copying that project's README, dependencies, and source files verbatim, with a malicious dropper grafted on. Its sole exported function `middleware` (index.js:117-122) detached-spawns `node lib/logger.js` with `{ detached: true, stdio: 'ignore' }` and immediately `unref()`s the child, so the loader runs silently and outlives the parent process. lib/logger.js then uses axios to GET `https://www.jsonkeeper.com/b/YL7GN`, extracts the JS payload from the response's `Cookie` field, and evaluates it with `new Function.constructor('require', s)(require)`, retrying up to 5 times. This grants attacker-controlled JavaScript full `require` access in the consumer process. The remote URL is disguised in lib/logger.js:4-8 as `DEV_API_KEY` inside a fake `process.env`-shaped object to look like benign configuration. jsonkeeper.com is an anonymous, author-mutable paste host, so the executed bytes can change at any time without any package update. Any application that imports this package and invokes the default `middleware` export will execute remote attacker code.