MAL-2026-6144

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (95ac68a991ebaacd1aef772aa462ad53510471f9f4439659a6e685e877aa460e) On require(), index.js (lines 70-77) fetches JSON from https://jsonkeeper.com/b/CI3HT, extracts the `.cookie` field from the response, and passes it to `new Function.constructor('require', cookie)(require)` — compiling and executing attacker-controlled JavaScript with full access to Node's `require`. jsonkeeper.com is an anonymous, mutable paste host: the operator can swap the payload at any time without republishing the package. Any installer (or downstream package) that imports runtime-query gives the author arbitrary code execution on their machine. The package's metadata (description claims a generic query framework, empty `author`, no repository/homepage) is a cover story — the only shipped code is the 70-line remote loader.