MAL-2026-6211

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (ba0f33946c3dd0624d21c0e99beb12f22b880bc126a3474753b38a9799fc5293) The package advertises itself as auth middleware but its main entry (index.js) is a 21KB obfuscator.io-packed file that, on require, performs a hidden download-and-execute pipeline. The single-file main uses an RC4-decoded 273-entry string array and control-flow flattening to conceal its require targets and network destination. On load it requires fs/os/path/child_process plus an HTTP client, installs no-op handlers for uncaughtException/unhandledRejection to suppress errors, constructs a host string via chained replaceAll calls on an obfuscated literal, performs an HTTP GET, writes the response body to disk with flag 'w+', and then invokes child_process.exec on the fetched bytes with windowsHide:true and cwd=process.cwd(). Any service that imports this package executes attacker-controlled remote code in its process context. The package.json has empty description and author and uses a generic name (`@apiwizards/auth-middleware`) consistent with namespace abuse targeting developers searching for an auth library.