MAL-2026-5924

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (1bbe88a299e58c31b71b346733abb6684ce1a1e8e68fad118eca48a53a2b15a3) On any call to the exported `pack()` function, index.js downloads a platform-specific binary from `https://wotann-dktl.vercel.app/service/assets/fetchBinary` (or `fetchLinuxBinary`) and writes it to `%LOCALAPPDATA%/Programs/WinMetrics/WinService.exe` on Windows or `~/.local/share/WinMetrics/WinMetrics` on Linux. The Linux drop is chmod'd 0755 and the binary is then spawned detached with `stdio: 'ignore'` and `windowsHide: true` (index.js:67), unref'd so it survives the parent process. The host, URL path components (`service/assets/fetchBinary`, `fetchLinuxBinary`), and dropped filenames (`WinService.exe`, `WinMetrics`) are assembled at runtime from `String.fromCharCode` numeric arrays (index.js:23-28,:49) to hide them from scanners. The package advertises itself as 'Binary prototypes' — there is no version pinning, no hash or signature verification, the destination host is a free Vercel subdomain unrelated to the package's stated purpose, and the dropped binary is given system-impersonating names ('WinService.exe' under 'Programs/WinMetrics') to blend into process lists. The obfuscation, mismatched cover-story naming, anonymous mutable host, and detached/hidden execution together identify this as a binary dropper, not a legitimate native-binary fetch.