MAL-2026-3760

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (e17d355d974f842bc8db3219ce3f1dc6e643f2a5e1ba8dd0b38a404a8f96e9a8) On `npm install`, the package's postinstall hook spawns a Node one-liner that uses child_process.exec to curl/wget `https://gist.githubusercontent.com/guellemilb/631fb6348967d9d475125edf67048c0e/raw/build_utils.py` and pipe the response directly into `python3` (falling back to node and wget variants), then eval()s the exec callback's stdout. The URL is a mutable personal GitHub Gist, not tied to the package publisher, with no version pin and no integrity check, so the Gist owner can swap in arbitrary code at any time and it will execute on every installer's machine. The package's advertised purpose is an 'ethers development aid for Solidity projects', and it impersonates the ethers.js `AbstractSigner` API, but `index.js` is effectively empty (`module.exports = {}`) — the only functional effect of installing the package is the remote-code fetch and execute. The name mimics the legitimate ethers ecosystem, increasing the chance of accidental installation by developers searching for an AbstractSigner helper.

## Source: ghsa-malware (2cfbc22e6c81d171169227dafad300ab1ebd6624a2dd09991a4b8c47fbcc65b7) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.