MAL-2026-6477

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (ffa393dec171ebd22b63776d7550006d3f9f60ad8726ce1153784080e9038acd) lib/index.cjs and lib/index.mjs (re-required from lib/readonly.cjs) contain a self-executing IIFE that decodes two opaque strings via a custom shuffle routine (`YWG`), recovers the identifier `constructor` from one of them, retrieves the Function constructor via property access, then builds and invokes nested Function-constructor calls — `Function('', Function('', decoded1))(decoded2)(7942)` — executing arbitrary decoded JavaScript at module load. Before the synthesis, the loader assigns `global.r = require` and `global.m = module`, deliberately smuggling Node's require and module bindings into the global scope so the dynamically constructed function (which does not inherit the module's closure) can reach them. A marker `global._V = "A6-Shadow-16"` is also set. The package advertises itself as a validation/runtime utility but ships an obfuscated self-injecting loader with no legitimate purpose for hiding code from Function constructors. Any consumer that does `require('runtimekit')` or `require('runtimekit/readonly')` runs the decoded payload in-process with full Node privileges.