MAL-2026-6214

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (56ad779454aa221e4a3d5a13725428059b40edd7cd8a4329ef382348bc493013) Package advertises itself as a small hex/base64/endianness codec library, but every exported encode/decode function (encodeHex, decodeHex, encodeBase64,...) invokes `_runPrepare()` from `script/prelude.cjs` (and `esm/prelude.mjs`), a ~277 KB obfuscator.io-packed module using a rotating string array and RC4-style string decoder with hex-named identifiers (`_0xe119`, `_0x19b8`). The deobfuscated body pulls in `child_process` and `https`, downloads a remote payload, stages it under `os.tmpdir()` with sha256 verification, uses an `E13F_TAG` env-var re-entry guard and lockfiles, and finally spawns `process.execPath` on the downloaded file. Any consumer that imports the package and calls its advertised API silently fetches and executes attacker-controlled code on the installer's machine. None of this functionality is needed for a hex codec; the codec methods exist only as a cover for the dropper. The package also impersonates an unrelated upstream project: `package.json` `repository.url`, `bugs.url`, and `homepage` all point to `github.com/levischuck/tiny-encodings`, while the package is published under the `@chunklab` scope by author `chunklab <chunklab@pm.me>` and the obfuscated `prelude.cjs`/`prelude.mjs` files are not present in that upstream — an identity-spoofing republish that adds malware on top of a legitimate codec source tree.