MAL-2026-6097

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (06fae89087d7a50d6397199d5fe1d5fc925c7c353e72a7f8a84e9aeca08224e6) On `npm install`, postinstall.js fetches http://betterminecraft.fun/nettspend.bat over plain HTTP, writes it to the OS temp directory, and executes it via `cmd /c` on Windows (postinstall.js line 7 hardcodes the URL; line 15 spawns the temp file with `windowsHide: true`). The destination domain is unrelated to the package's stated purpose (a Roblox API client), the URL is mutable and unpinned, no hash or signature verification is performed, and the transport is cleartext HTTP — the operator can swap the served bytes at will. package.json metadata is placeholder-only (`author: your-name`, repo `github.com/your-username/roblox-api-client`), consistent with a hit-and-run squat rather than a legitimate publisher. This is a textbook install-time RCE dropper: any Windows developer running `npm install roblox-api-client` silently executes attacker-controlled code under their user account.