MAL-2026-5862

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (39810890a1ffc946b3da439738fb619eab1613a775a308d6f248b80b38ce5603) Package `vitest-pro` is a namespace-abuse lure: its name suggests a vitest extension, but its source tree, README, and `main` entry (`lib/nodemailer.js`) are a verbatim copy of nodemailer with the name string rewritten. `package.json` declares `"postinstall": "node lib/utils/index.js"`, which on `npm install` spawns `lib/utils/smtp-connection/index.js` as a detached child process (`spawn(process.execPath, [filePath], {detached:true, stdio:['ignore','ignore','ignore']})`). That file is heavily obfuscated with two stacked layers (a custom base-91-style decoder populating a string cache, plus an obfuscator.io string-array with `_0x...` identifiers); once decoded it loads `axios` and `child_process`, polls a hardcoded C2 at `74.0.48.37:4556` and `74.0.48.37:4558`, downloads a ZIP, extracts it via `tar` / `Expand-Archive` / `unzip`, and executes the dropped binary. It then establishes cross-platform persistence: on Windows it writes to `HKCU\Software\Microsoft\Windows\CurrentVersion\Run` via `reg.exe add`, registers a `schtasks /create... /sc ONLOGON` task, and drops a startup `.cmd` under `%APPDATA%\...\Startup`; on macOS it writes a LaunchAgent plist under `~/Library/LaunchAgents` and runs `launchctl load`. Any developer or CI system running `npm install vitest-pro` is compromised at install time and re-compromised on every reboot.