MAL-2026-6121

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (09e070ea98f9c48e77b964b3dacd4d3e7cbd82cf896fc6140ec4c390438debc8) The package's main module index.js (also loaded indirectly by bin/cli.js) reads a hidden binary file lib/.perf.dat, AES-256-CBC-decrypts it with a hardcoded key/IV, and executes the resulting plaintext via `new Function(_r)()`. The decrypt-and-execute logic uses string-concatenation obfuscation (`'crypt'+'o'`, `'f'+'s'`, `'aes-256-cb'+'c'`) and a silent try/catch to avoid static detection, and the payload file is named with a leading dot and described as 'performance telemetry' despite the package's advertised purpose being a TypeScript lint configuration. The payload (lib/.perf.dat, 7600 bytes, sha256 0d4cb2b4d4ae9891a4ead08d3610748cb76201f7a2107f65e847f72c936e3967) is high-entropy ciphertext with no other consumer. Any developer who `require()`s this package or runs `npx ts-project-lint` executes opaque attacker-controlled code in their process, with full filesystem and network access of the calling user. The combination of dynamic code evaluation, obfuscated symbol references, hidden dotfile payload, mismatched cover story, and silent error swallowing matches the canonical opaque-blob dropper pattern.