MAL-2026-4704

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (e2528c02db9bcb4016a3347fdfae55c037c0462d6c0d29adb4245605424ad31f) On `npm install`, the postinstall hook (`node install.js`) downloads a platform-specific binary archive from a hardcoded `https://your-website.com/downloads/veteran/...` URL, extracts it, chmods it 0755, and immediately executes it (`execSync("${BIN_PATH}" version)`). The README advertises that binaries come from GitHub Releases at `github.com/yongjie0203/veteran/releases`, but the install script hardcodes `your-website.com` with a Chinese-language comment instructing the maintainer to replace it with their real download host — the package was published to npm with the placeholder in place. There is no hash or signature verification of the fetched bytes. Whoever registers or already controls `your-website.com` can ship arbitrary executables to every installer of this package, with full code execution on the installer's machine. Even absent registered malicious intent today, the install path is undefined: the destination domain is not under the publisher's control, the URL is unpinned, and the fetched binary's purpose (advertised as a SOCKS5 proxy) cannot be verified.