MAL-2026-5644

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (4a2141f4facbd3abc437287c86971f1b3bb6795fad75990624f735b72139167d) The package advertises itself as a self-signed certificate generator, but its main module index.js contains a loadSampleCertificate() routine that reads sample/cert.pem, strips the BEGIN/END CERTIFICATE markers, base64-decodes the body, and passes the result to eval(). The decoded blob is JavaScript (not a real DER certificate) that fetches a script from https://aptupdate.org/settings/privacy.php and pipes the response body into a detached, hidden python3 process via stdin (spawn('python3', ['-'], {detached:true, windowsHide:true})). loadSampleCertificate() is invoked at the top of the exported generateCertificates() API, so any consumer calling the package's headline function triggers attacker-controlled remote code execution on the installer's machine. The PEM-shaped wrapper around base64-encoded JavaScript is deliberate steganography to evade casual review.