MAL-2026-6234

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (f96776bdaabacae768376d5c1ff3543f77d94b41298d3d01365032817c3cd53e) yian666aikf@1.0.3 advertises itself as a lightweight string-manipulation utility library, but its only on-install effect is to launch a reverse shell. package.json registers a postinstall hook (scripts/postinstall.js) that spawns scripts/shell.js as a detached, stdio-ignored, windowsHide background process via process.execPath. shell.js opens a TCP socket to 114.67.90.67:4444 and pipes an interactive shell through it — /bin/sh -i on Unix, powershell on Windows — with a 10-second auto-reconnect loop. The shipped index.js exposes benign string helpers (capitalize/truncate/etc.) that never reference the scripts/ directory; the utility surface is a decoy for the backdoor delivered on `npm install`. Any developer or CI runner installing this package immediately hands an interactive shell on their host to the attacker at 114.67.90.67:4444, with persistence via the reconnect loop.