MAL-2026-6487

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (c937a54c3629f80fb7b92fbdafda502706b6028b43bc4675eb30c55d9bc059e9) Package masquerades as 'Performance fixes for Minecraft Velocity proxy' authored by 'Velocity Team' — Velocity is a Java project from PaperMC and has no legitimate npm distribution. package.json declares scripts.postinstall = 'node scripts/loader.js', which silently spawns a bundled payload.exe via `start /b` on every `npm install`. The bundled PE contains a hardcoded C2 at https://751.lol/upload/ and posts a multipart form with fields `username`, `os_info`, `ip_address`, and `file=data.zip` — exfiltrating the installer's hostname, OS, IP, and a zip of collected files to an attacker-controlled host. The payload labels itself `[INJECTOR]`, reads registry values (ProductName, DisplayVersion), and performs sandbox / VM evasion (probes for SbieDll.dll, snxhk.dll, Vboxguest.sys, vmGuestLib.dll, VMware/VirtualBox artifacts) so it only fully detonates on real victim hosts. The combination of brand-impersonation lure, install-time auto-execution of an opaque native binary, hardcoded exfil endpoint, and anti-analysis evasion is an unambiguous Windows-targeted supply-chain dropper.