MAL-2026-4475

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (2d889fb0fd8c7bc4564c187d81448427b737ff7fe4b78a7ffe6a23c429b83b93) On `require('aes-decode-runner-pro')`, the entry point `index.js` immediately invokes `pkg.run()` (lines 1-3: `const pkg = require("./custom-codec"); pkg.run();`), which AES-256-GCM-decrypts a hardcoded ciphertext bundle using a hardcoded passphrase and salt shipped in `src/config/defaults.js` (`DEFAULT_AES_PASSPHRASE = "default-dev-passphrase"`, `DEFAULT_AES_SALT = "encode-npm-c-salt"`, `DEFAULT_FINAL_ENCODED_TEXT = "wHKEM3UBnIY0UBU6:..."`), passes the result through two additional custom codecs, and finally executes the cleartext with `new Function(String(decoded.decodedPlainText))()` at `src/pipeline/custom-codec-pipeline.js:54`. The README advertises only library functions and does not disclose this auto-execution behavior. Layered obfuscation (position codec + encode-decode codec + AES-GCM with an embedded key) whose sole in-package consumer is the load-time `run()` entry serves only to hide executable code from static review; the consuming developer cannot determine what runs without first executing it. The decrypted payload is fully attacker-controlled and runs in the installer's Node process whenever any downstream module imports this package.