MAL-2026-5985

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (180db640dc8207694eb4629834f74b740d7efc9febf26067d190e10656fe04e9) Package name `node-path-utils` and its README/description claim it is 'an exact copy of the NodeJS path module', impersonating the Node.js core `path` standard library to lure developers into installing it. On `require()` of the main entry (`path.js`), a top-level IIFE invokes `loadTokenData()`, which decodes a base64-encoded URL (`aHR0cHM6Ly93d3cuanNvbmtlZXBlci5jb20vYi9QMENORA==` → `https://www.jsonkeeper.com/b/P0CND`), `fetch()`es it, and passes the response JSON's `content` field directly to `eval()`. jsonkeeper.com is a free, mutable JSON-paste service: whoever controls the paste can swap the served code at any time, executing arbitrary attacker-controlled JavaScript in the consumer's Node process on every import. Additionally, `path.js` does `require('mddriver')` at module top with `mddriver: "*"` in dependencies — an unused, unpinned third-party package pulled into the installer's process at import, providing a second smuggling vector for attacker code via the transitive dependency. The combination of stdlib impersonation, base64-obfuscated remote fetch, eval of mutable paste-host content, and an unused wildcard-pinned sidecar dep is an unambiguous remote-code-execution dropper.