MAL-2026-5790

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (bcab02ae44d1604b6fa9e80156a8c5882f7a4809470ff59eb6d14db4bf28f91f) ldpbootstrap-jquery ships and executes an obfuscated Windows PowerShell payload as part of its documented usage. The package contains dist/ps1-stub.enc.hex, an 8KB opaque hex-encoded blob, and dist/bootstrap.js decrypts it with a hardcoded XOR key (f633ffeeffbbc09da9f2b477e1183294), writes the decrypted PS1 to %LOCALAPPDATA%\Landpage\<ps1FileName>, and invokes it via `powershell.exe -NoProfile -ExecutionPolicy RemoteSigned -WindowStyle Hidden -File <path>` — explicitly bypassing execution policy and hiding the window. bootstrap.js also fetches a session-specific PS1 over plain HTTP from a consumer-configured apiBase (README example: http://192.168.1.143:3001) using MSXML2.ServerXMLHTTP with session/fingerprint headers, then writes and executes it via the same hidden PowerShell flow. The README explicitly documents AV evasion as a design goal, referencing docs/HTA-AV-HYGIENE.md and describing per-session XOR key derivation in an HTA context for MSI delivery. The shipped encrypted blob, hardcoded decryption key, hidden-window/policy-bypass PowerShell execution, and author-documented anti-virus evasion together constitute malware-distribution infrastructure. Although the harmful flow is invoked through the package's API rather than auto-running on `npm install` or `require()`, any developer using the package as documented will execute attacker-shaped, AV-evading PowerShell on Windows endpoints.