MAL-2026-6496

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (79b9ab7431b1a6a1250c089e2ea33f54ad92313f587fbd2aabc020c12be55f69) Package `@dervix/ws` impersonates the popular `ws` WebSocket library — `package.json` copies the legitimate ws project's homepage (`https://github.com/websockets/ws`), repository, and author metadata while publishing under an unrelated scope. `lib/websocket.js` appends ~130KB of heavily obfuscated code after the genuine `socketOnError` function; this payload executes at `require()` time via `index.js`. On import the payload (1) re-spawns the current Node process detached with `stdio:'ignore'` and `windowsHide:true`, gated by an obfuscated marker env var so the parent returns cleanly while a daemonized child continues; (2) constructs an AES-256 key by XOR-combining four hardcoded hex Buffers; (3) issues an HTTPS GET (following 3xx redirects) to an encrypted-in-source URL, streams the response to a file under `os.tmpdir()`, and decrypts it via `createDecipheriv`; (4) `fs.chmodSync(path, 0o755)` and `child_process.spawn(path,...)` with `detached:true` then `unref()`s it. Dynamic `import('child_process')` / `import('path')` is used to defeat static `require` audits, and an `inspector.url()` check short-circuits execution when a debugger is attached. There is no signature verification, no version pinning, and the destination URL is RC4-decoded at runtime so it cannot be inspected statically. Combined with the cloned ws metadata, this is a deliberate typosquat dropper that lands and executes attacker-controlled binary code on any machine that installs and imports the package.