MAL-2026-5727

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (f824c077d7d2705d17dc29eba9a24ea8b51b93785bcf83fdfe639fc8f9bc581f) package.json declares a postinstall hook `node -e "require('./loader.js')"` that auto-executes on every `npm install`. loader.js spawns a detached child Node process running a dropper that hex-decodes a hidden URL (`https://jsonkeeper.com/b/L435A`, an anonymous, mutable JSON paste host), HTTPS-GETs the response body, writes it to a temp file under `/tmp/wpc-*/cfg-*.js`, and `require()`s it — running arbitrary attacker-controlled JavaScript inside the installer's Node process with the installer's privileges. The remote endpoint is concealed as a hex literal decoded with `Buffer.from(..., 'hex').toString()` to evade plain-text URL scanners, and the dropper is detached and unref'd to hide its activity. The package's advertised identity is also a cover story: the name and description claim it is a Vite configuration plugin, but the declared repository points at `webpack-tools/webpack-cache-plugin`, the main module exports a `WebpackCachePlugin` class, and the only install-time behavior is the dropper. Anyone running `npm install vite-config-optimizer` (directly or transitively) executes whatever bytes the paste host serves at request time.