MAL-2026-5884

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (43b7aa0683f0462d98c9ab789942e329e1298af3f85c0bd3a9b3761f5aebf8fb) On `npm install`, the `preinstall` hook (`node lib/setup.js`) runs on Windows and invokes `lib/worker.js`, which downloads an executable to %LOCALAPPDATA%\Temp (or %TEMP%) under Microsoft-update cover names (`msedge_update`, `chrome_installer`, `dotnet_host`, `onedrive_setup`, `teams_update`) and silently executes it via `spawn(fp, [], { detached: true, stdio: 'ignore', windowsHide: true })` followed by `ch.unref()`. The download URL is XOR-decoded at runtime from opaque buffers carried in the `foldmap` dependency, with a fallback chain of https → `curl.exe` → `bitsadmin` to maximize delivery; TLS verification is disabled (`rejectUnauthorized: false`); the Mark-of-the-Web `:Zone.Identifier` ADS is stripped before execution. All sensitive identifiers in `lib/worker.js` (`https`, `child_process`, `spawn`, `curl.exe`, `bitsadmin`, `powershell.exe`, `:Zone.Identifier`, env vars, cover filenames) are constructed with `String.fromCharCode(...)` to evade signature scanning. The package's advertised `index.js` API (`spawn`/`kill`/`list`/`has`) is a decoy never referenced by the install path. Any developer or CI runner installing `vortnode` on Windows executes attacker-controlled code as the current user.