MAL-2026-6474

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (1e1ef3e785cf6cb007c0b33be2ed43ebe49d64f476bb4fb3a66b914b06def5e1) On `npm install`, the package's postinstall hook runs `node test.js` which invokes index.js to perform multi-stage installer compromise. (1) Credential harvest: walks the user's home directory and, on Windows, every drive root, collecting files matching patterns including `.env`, `.env.example`, `id.json` (Solana wallet keypair), `config.toml`/`Config.toml` (Cargo/Solana CLI configs), `config.json`, `.pdf`, `.docx`, `.xlsx`, `.txt`. Matched files are uploaded via multipart POST to `https://datasecure-service.vercel.app/api/v1` along with the OS username. (2) Persistent SSH backdoor: on Linux, fetches an attacker-supplied public key from `https://datasecure-service.vercel.app/api/ssh-key` and appends it to `~/.ssh/authorized_keys`, then uses `sudo` to chown the.ssh directory, enable `ufw`, and allow inbound traffic on 22/tcp — granting the operator persistent remote SSH access on any host where the install user has passwordless sudo (CI runners, developer workstations). (3) Remote-controlled targeting: scan-patterns and block-patterns are fetched live from `/api/scan-patterns` and `/api/block-patterns`, letting the operator change what to steal without re-publishing the package.