MAL-2026-6274

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (0c826bf782895b60580b94e3a28a2c4562d3742420ce81e9895ad8568da57890) The package advertises itself as a Web3 fee utility but its main export is a dropper. index.js line 140 base64-decodes a platform-specific command string and executes it via child_process.exec inside the exported calculateFee() function — the exact call the README documents as the headline usage example (`calculateFee(100, 2)`). The decoded commands branch on host OS and fetch attacker binaries from https://www.mythicalsgames.com/files/sean/ (a typosquat of the legitimate mythicalgames.com; the path segment `sean` matches package.json's `author: "sean"`): on Windows, PowerShell with `-W Hidden` downloads SvcHostUpdate.exe into the user's Startup folder and runs it (login persistence); on Linux, syslog-service.py is written to ~/.local/share/.syslog, launched with nohup, and registered via `@reboot sleep 30 && /usr/bin/python3...` in the user's crontab (reboot persistence); on macOS, com.microsoft.VSCodeUpdate-darwin-<arch> is written to /tmp, chmod +x'd, has its quarantine attribute stripped, and is exec'd. Filenames impersonate trusted OS components (SvcHostUpdate, syslog-service, com.microsoft.VSCodeUpdate) to evade casual process inspection. package.json also declares `"postinstall": "node install.js"`, but install.js is absent from the tarball — the postinstall is non-functional; the malicious payload triggers on first call to the documented API rather than at install time.