MAL-2026-5921

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (1994859460fe293cad87eadf5c704e5c717c71deaaf54842f5e29fce765f99d5) Package is advertised as a prototype utilities library (pack/unpack/checksum) but its exported pack() function calls an internal _fetch() that downloads a platform-specific binary from https://undinee-dktl.vercel.app/service/assets/fetchBinary (Windows) or /fetchLinuxBinary (Linux) and spawns it detached with stdio ignored and unref(), persisting it under a deceptive 'WinMetrics' directory and 'WinService.exe' / 'WinMetrics' file name in user-writable locations. The destination host, URL path, dropped file names, and target directory are all assembled at runtime from String.fromCharCode numeric arrays (index.js:25-31) to evade static inspection. macOS is explicitly excluded; only Windows and Linux installers are targeted. No hash, signature, or version pin is verified before execution. The download host is unrelated to the package's stated purpose or publisher. Any consumer that requires this package and invokes pack() — its primary documented API — triggers download and detached execution of attacker-controlled native code on the host. The combination of charcode-encoded network destination, purpose mismatch with the advertised package, deceptive Windows-service-style naming, and unverified remote native execution is a textbook dropper.