MAL-2026-6227

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (c3721ae4cecdfa22793382d07d28a25ba5fabd54ac405cb94e642a1f96faee80) index.js imports child_process and at lines 101 and 117 invokes execSync to run bash and zsh commands. Lines 9, 194, and 195 use Buffer.from(..., 'base64').toString() to decode base64-encoded payloads, a common pattern for hiding the actual shell commands from casual review. The combination of base64-decoded strings being fed into execSync calls inside the main module is the canonical shape of an obfuscated runtime payload executor: any caller that requires this package, or any lifecycle/CLI path that loads index.js, will execute attacker-controlled shell commands decoded from the embedded base64 blobs. There is no documented benign reason for a 'helper' package to base64-decode strings and shell them out. Package name (new-ts-helper) also has the shape of a low-effort lure rather than an established TypeScript utility.