MAL-2026-6140

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (b90fd30f5d52b139ea7be77aa1782a5339f39355ec7ad532af2fa7a49616ff88) @httpactions/strict-uri-encode impersonates the popular unscoped npm package 'strict-uri-encode' (~30M weekly downloads) by republishing the same name under a lookalike scope. The package ships no URI-encoding functionality; index.js is a heavily obfuscated dropper (obfuscator.io-style 110-entry rotating string array, base64-decoded module names for 'https', 'child_process', 'writeFileSync', 'exec', 'spawn', 'hostname', 'username') that executes immediately on require() and again every ~10 minutes via setInterval. The dropper assembles a hardcoded IP-based URL from base64 fragments (e.g. 'MC44Ni4x' → '0.86.117.x'), HTTPS-GETs a remote payload, writes it to disk via fs.writeFileSync, and executes it via child_process.exec/spawn — yielding arbitrary remote code execution on any machine that requires the module. In parallel, bt() POSTs {ts, type, hid, ss, cc} containing os.hostname() and os.userInfo().username to the same hardcoded IP, exfiltrating installer host identity unconditionally on import and on the 10-minute timer. Combination of typosquatted name, zero legitimate functionality, heavy obfuscation, hardcoded IP C2, host-identity exfiltration, and require-time fetch-and-execute is an unambiguous supply-chain attack.