MAL-2026-4719

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (3992f423f88c69e8c00223cc0ef81f970b8e178f1854beb00ef443586302ad89) package.json declares `"preinstall": "./bin/install-deps"`, which runs a 976KB UPX-packed Linux x86 ELF binary on every `npm install`. The package self-describes as a pure-JavaScript 'Web Client for WeaveDB' — its index.js is a ~60-line HTTP wrapper around `https://${functionId}.exm.run` — with no native build step, no shipped C/C++/Rust source, and no purpose-aligned reason to ship or execute a Linux binary at install time. The binary carries the UPX runtime-unpacker signature (`http://upx.sf.net` at offset ~4574) so its actual payload is compressed and not statically reviewable; visible string fragments reference PTRACE (process tracing), libbpf (kernel packet filtering), HTTP client primitives, and GitHub API headers — capabilities entirely unrelated to a WeaveDB JS HTTP client. There is no hash/signature verification, no version pinning, no documentation of the binary's presence in the README, and the file is staged under a generic 'install-deps' cover name. Installer impact: any `npm install weavedb-exm-sdk-web` on a Linux host (developer machines, CI runners) executes attacker-controlled, process-privileged native code with capabilities (ptrace, eBPF) suitable for credential theft, process injection, and host-level surveillance, before any application code is loaded.