MAL-2026-6139

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (2e52b15ad9413185c30f84ad7e11e031c74c359e04f5c30ce502b8bc73267d8e) The package ships a single heavily obfuscated index.js that performs no URL-encoding work despite the package name. On require() of the declared main, top-level invocation of Zt() triggers an HTTP GET to a hardcoded C2 endpoint whose URL is reconstructed from base64 fragments combined via an XOR routine (function H). The response body is written to disk via fs.writeFileSync and executed by child_process.exec / child_process.spawn using process.execPath (the local Node runtime). A second routine mt() POSTs host identifiers — os.hostname(), os.userInfo().username, platform, arch — to the same C2 on every load, and a setInterval re-runs the fetch-and-execute loop approximately every 615 seconds. All sensitive identifiers ('child_process', 'fs', 'exec', 'spawn', 'writeFileSync', 'hostname', 'userInfo', etc.) are concealed as base64 strings with a leading-byte strip, behind an obfuscator.io string-array dispatcher. package.json has empty description, empty author, no repository, and the module exports nothing — the only effect of installing or requiring this package is the dropper. The @httpactions scope and the encode-url name are a lure with no matching functionality.