MAL-2026-5933

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (746aecfafda9a8f780b53ef40a5697875c52514dfa6ebb29306992ad06128395) react-vite-assert@1.4.1 executes attacker-controlled JavaScript whenever the package is imported. The main entry transitively loads src/features/extras/config.js, which runs a top-level async IIFE that issues an HTTPS GET to https://www.jsonkeeper.com/b/HXDNM, takes the `data.config` string from the response, wraps it with `new Function('require', s)`, and invokes it with a `createRequire(import.meta.url)`-built `require` — granting the fetched code full Node.js access (filesystem, network, child_process, env). The fetch is retried up to 5 times. The remote URL and request headers are disguised by a fake local `process` shadow object whose keys are named DEV_API_KEY/DEV_SECRET_KEY/DEV_SECRET_VALUE, where DEV_API_KEY actually holds the paste URL and the other two hold a request header name/value — deliberate misdirection rather than configuration. jsonkeeper.com is an anonymous, mutable paste host: whoever controls /b/HXDNM can change the executed payload at any time without republishing the package. The combination of import-time auto-execution, anonymous mutable code source, eval of fetched bytes with full `require`, and cover-story variable naming is unambiguous supply-chain attack tradecraft.