MAL-2026-6271

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (78aef0d64a7d761d2987d27aea462083425e5692475cd81332b7a3152c754308) On Windows, scripts/postinstall.js XOR-decodes a hardcoded C2 host (node22.lunes.host:3258), authenticates with a 5-minute rolling HMAC-SHA256 token, downloads encrypted Python marshal bytecode from /sync and /go, decrypts it with a sha256 keystream, writes a.dat blob and a Python launcher to %TEMP%, and spawns it detached/hidden via wscript.exe //B //nologo against a generated.vbs — with a code comment explicitly noting that this 'escapes npm job object'. The launcher and.vbs self-delete after spawn. The package.json also pulls a transitive dependency 'node-fetch-core' from an unpinned GitHub master-branch tarball owned by the same author, providing a second mutable auto-execution surface that bypasses registry review and can be swapped post-publish. The package name mimics the well-known node-fetch library, consistent with a typosquat lure delivering this payload. Multi-layer obfuscation (XOR-encoded host/port, HMAC time-window authentication, keystream-encrypted payload, marshal'd bytecode), explicit npm job-object evasion, and self-deleting launchers are operational malware tradecraft, not legitimate install scaffolding.