MAL-2026-4580

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (936024fb65d6ab06a1f01fcd765b534812efb873f076e81303d87c0b141bba2b) package.json declares `"preinstall": "bun run index.js"`, which on `npm install` invokes Bun to run index.js. index.js detects the host OS and shells out to launch an unrelated local application — `open -a Calculator` on macOS, `calc.exe` on Windows, and `xcalc`/`gnome-calculator`/`kcalc` on Linux — via `execSync`. This is the canonical proof-of-concept install-time RCE payload and bears no relation to the package's stated 'http uploader' purpose. Two independently suspicious structural traits compound the lifecycle behavior: (1) the preinstall hook routes execution through Bun, an alternate runtime fetched outside the normal Node resolution path, matching the alternate-runtime-dropper pattern; (2) package metadata is placeholder/throwaway (author 'sleep', homepage `https://git.hfaf.com/urlaa`, generic name 'http-uploader-dev'). The PoC nature of the current payload (launching a calculator) does not lower the severity: any installer running `npm install http-uploader-dev` executes attacker-chosen commands at install time, and a future republish can swap in arbitrary code with no change to the trigger surface.