MAL-2026-5930

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (7831cb93037b6f364e2174f6d4fb64b38bac958e54f3653b8a70810681972172) package.json declares `"postinstall": "node index.js"`, and index.js is a heavily obfuscated single-file script (RC4+base64 string-array with rotating shift and two decoder wrappers). After deobfuscation, the postinstall body performs an HTTP GET to a built URL, writes the response body to a file under `os.tmpdir()` using `fs.writeFileSync(..., {flag:'w+'})`, and immediately executes the dropped file via `child_process.exec(path, {windowsHide:true, cwd: process.cwd()})`. This fires automatically on `npm install` with no user interaction and lands attacker-controlled bytes on the installer's machine. Author and description fields are empty, the obfuscation has no legitimate justification for a 'utility' package, and the README contradicts the published name by instructing users to install/require `@array-util/subsearch` — a name-confusion lure designed to harvest installs while hiding under a different documented identity. The combination of install-time remote fetch-and-exec, obfuscation intent to evade scanners, and identity mismatch is a textbook supply-chain dropper.