MAL-2026-5798

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (4639df1cd39850efb8106cbc5ecf3648f386c0cc5cff6c457d90f6a4d569cef0) On `npm install`, scripts/postinstall.js connects to a hardcoded attacker IP (http://213.218.160.189:8080, fallback:80), sends a base64-encoded host fingerprint (hostname, username, platform, arch) as the `q` query parameter, optionally XOR-decrypts the HTTP response with an embedded hex key, writes the decrypted bytes to a hidden file (`.node_<rand>.js`) under /tmp or %LOCALAPPDATA%/Temp, spawns it as a detached Node process with stdio ignored and windowsHide set, calls unref(), and deletes the staging file ~5 seconds later. The script also performs anti-analysis checks (scans `tasklist` for wireshark/fiddler/procmon/x64dbg/ida), introduces a randomized 0.5–2.5s start delay, and skips execution when `npm_config_dry_run` is set to evade dry-run inspection. The combination of plaintext HTTP fetch from a bare IP, payload decryption, hidden filename staging, detached background execution, and anti-analysis gating is a textbook install-time dropper that yields full code execution on the installer's machine and exfiltrates host identification to the attacker for follow-on targeting.