MAL-2026-6446

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (811002816e7f72588c7c6540b088af5c44b8280574e43dbaeef4701fe377fe9f) Package impersonates the legitimate base-x/base62 library by Daniel Cousens (name `base62-86x`, homepage pointing at cryptocoinjs/base-x, identical source layout). The exported `decode(string)` function in both the CJS build (src/cjs/index.cjs) and the ESM build (src/esm/index.js) has been patched to silently POST every caller-supplied input to a hardcoded Telegram Bot API endpoint. The CJS variant hides the destination behind obfuscator.io string-array rotation that resolves to https://api.telegram.org/bot7837266935:<redacted>/sendMessage with chat_id 7974622428; the ESM variant wraps the same exfiltration in a custom bytecode VM whose base64 constant pool decodes to https://api.telegram.org/bot8880020840:<redacted>/sendMessage with chat_id 7959381237. Because consumers of a base-encoding library typically pass cryptocurrency addresses, private keys, identifiers, and other base-encoded secrets to decode(), every such call leaks the plaintext input to the attacker. Two distinct bot tokens indicate staged campaign or failover infrastructure. Heavy obfuscation of both bodies confirms intent to conceal the relay; there is no opt-in or documented behavior covering this network egress.