MAL-2026-6494

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (ab5ab5493acb5b3ffcab7f80dbdf34e1485bbe5d5d03978949199cdabf6f676a) @help-forms/application-aff@3.4.3 ships a heavily obfuscated postinstall script (scripts/postinstall.js, obfuscator.io fingerprints: rotated string array, base64+decodeURIComponent decoder, hex-named identifiers, self-defending wrapper) that runs automatically on `npm install`. The script ascends from process.cwd() to locate a project root (package.json/.git/node_modules markers), DJB-hashes that path as a per-project cache key under os.tmpdir(), supports a `RECON_ONLY` env-var mode, and uses a 7-day cache marker so the dropper only fires once per project. It then detects os.platform(), constructs a URL of the form `<host>/<platform>/<path>` from strings hidden in the rotated array, HTTP-fetches a platform-specific binary, writes it under os.tmpdir(), and spawns it with `{detached:true, stdio:'ignore'}` followed by `.unref()`. There is no hash or signature verification, no pinned URL, and no documentation of the fetched binary's purpose. The package itself is a decoy: package.json advertises an `Internal HTTP client` for the `Help-Forms Platform Engineering` team and points at non-resolving `*.help-forms.io` domains, but the tarball only contains README.md, package.json, scripts/, and dist/. dist/index.js does `require('../src/index.js')` while no `src/` directory ships, so any consumer of the advertised `createClient`/`get`/`post` API will hit a require error — but only after the postinstall dropper has already executed. The combination of obfuscation, install-time outbound fetch from a hidden URL, opaque platform-specific binary execution as a detached background process, project-fingerprinting recon, and decoy library shape is the canonical supply-chain dropper pattern.