MAL-2026-4723

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (c25ff456baf684075b65ecf808bbfe36cbf91811fb4b04b70c13a3dd9d8a9403) package.json declares `"preinstall": "./tools/setup"`, where tools/setup is a 976KB stripped Linux x86-64 ELF binary (sha256 36abd242ddaa27f0160c539377a0e92cf781c1695137850acc87e3892b436d36) shipped directly in the tarball. The package self-describes as a JavaScript SDK for an Arweave-backed database; it has no native component, no binding.gyp, no C/C++/Rust source, and no build system that would justify a precompiled binary. The binary is not fetched from a publisher CDN, not version-pinned, and not hash-verified — it simply runs unconditionally with the installer's privileges on every `npm install`. Strings extracted from the binary include a PuTTY private-key header (`BEGINPRIV...KEYPuTTY-`), `RSA_PKCS1_`, `Ed25519`, `cookie`, `Authorization`, `HTTP/1.1`, `POST`, `XMLH` (XMLHttpRequest), `USERPROFILE`, `HOME`, `/proc`, `id_`, `ssh`, and a second embedded ELF header at offset ~270 (UPX-packed loader pattern). This fingerprint set — SSH/PuTTY private-key parsing primitives + browser cookie/Authorization-header scraping + HTTP POST exfil scaffolding + home-directory and /proc traversal — is the canonical shape of a credential and SSH-key stealer. Installing this package on Linux compromises stored SSH/PuTTY keys, browser session cookies, and any credentials reachable from the user's home directory and environment.